From ddf5f8edd41b95abf1bf258e6d2b9ff25f3d9759 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:32:28 +1100 Subject: [PATCH 01/12] Rewording structure for clarity --- draft-ietf-httpbis-encryption-encoding.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 631f08e0f..67c0272fb 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -127,8 +127,9 @@ scheme. This ensures that only the HTTP Accept-Encoding header field is necessary to negotiate the use of encryption. The "aesgcm" content coding uses a fixed record size. The resulting encoding is -either a single record, or a series of fixed-size records. The final record, or -a lone record, MUST be shorter than the fixed record size. +any number of fixed-size records - which could be zero records - followed by a +single partial record. The partial record MUST be shorter than the fixed record +size. ~~~ drawing +-----------+ content is rs octets minus padding From 1b376a85c1d6c60fc0178cdd5bdbbd9ff93edc16 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:34:44 +1100 Subject: [PATCH 02/12] No underscores in ABNF names --- draft-ietf-httpbis-encryption-encoding.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 67c0272fb..41560236a 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -207,8 +207,8 @@ The `Encryption` header field uses the extended ABNF syntax defined in Section 1.2 of {{!RFC7230}} and the `parameter` and `OWS` rules from {{!RFC7231}}. ~~~ abnf7230 - Encryption = #encryption_params - encryption_params = [ parameter *( OWS ";" OWS parameter ) ] + Encryption = #encryption-params + encryption-params = [ parameter *( OWS ";" OWS parameter ) ] ~~~ If the payload is encrypted more than once (as reflected by having multiple @@ -338,8 +338,8 @@ The Crypto-Key header field uses the extended ABNF syntax defined in Section 1.2 of {{!RFC7230}} and the `parameter` and `OWS` rules from {{!RFC7231}}. ~~~ abnf7230 - Crypto-Key = #crypto_key_params - crypto_key_params = [ parameter *( OWS ";" OWS parameter ) ] + Crypto-Key = #crypto-key-params + crypto-key-params = [ parameter *( OWS ";" OWS parameter ) ] ~~~ keyid: From 97b3c12cc570e65398731b8bb34a6b5e55d6e2e4 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:42:49 +1100 Subject: [PATCH 03/12] Require the use of Encryption --- draft-ietf-httpbis-encryption-encoding.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 41560236a..4e233ff4d 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -216,6 +216,12 @@ content codings that imply encryption), each application of the content coding is reflected in a separate Encryption header field value in the order in which they were applied. +Content codings that use the Encryption header field MUST always include a +value for the header field when the content coding has been applied. If no +parameters are needed, then a dummy value is necessary to avoid confusion about +which set of parameters applies to which content coding. This requirement +applies to uses of the `aesgcm` content coding. + Encryption header field values with multiple instances of the same parameter name are invalid. From a0c51a26481e50d64f109d9923dcfd0ea6a5424d Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:43:44 +1100 Subject: [PATCH 04/12] Clarify where name uniqueness applies --- draft-ietf-httpbis-encryption-encoding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 4e233ff4d..6ad2e6125 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -223,7 +223,7 @@ which set of parameters applies to which content coding. This requirement applies to uses of the `aesgcm` content coding. Encryption header field values with multiple instances of the same parameter -name are invalid. +name in a single encryption-params production are invalid. Servers processing PUT requests MUST persist the value of the Encryption header field, unless they remove the content coding by decrypting the payload. From bd0eef2a451a177416c59a6025d6281d29d9c738 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:45:53 +1100 Subject: [PATCH 05/12] Identify the key consistently in the example --- draft-ietf-httpbis-encryption-encoding.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 6ad2e6125..5167b183e 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -359,7 +359,7 @@ aesgcm: the input keying material for the "aesgcm" content coding. Crypto-Key header field values with multiple instances of the same parameter -name are invalid. +name in a single crypto-key-params production are invalid. The input keying material used by the key derivation (see {{derivation}}) can be determined based on the information in the Crypto-Key header field. @@ -388,7 +388,7 @@ wrapping is added to fit formatting constraints. ## Encryption of a Response {#explicit} Here, a successful HTTP GET response has been encrypted using input keying -material that is identified by a URI. +material that is identified by the string "a1". The encrypted data in this example is the UTF-8 encoded string "I am the walrus". The input keying material is included in the Crypto-Key header field. From 4e510beb46a37e2a7b2c3575f37703b9913e01c8 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:46:49 +1100 Subject: [PATCH 06/12] Content-Type can be omitted and it means the same --- draft-ietf-httpbis-encryption-encoding.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 5167b183e..91701451d 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -407,7 +407,8 @@ VDeU0XxaJkOJDAxPl7h9JD5V8N43RorP7PfpPdZZQuwF ~~~ Note that the media type has been changed to "application/octet-stream" to avoid -exposing information about the content. +exposing information about the content. Alternatively (and equivalently), the +Content-Type header field can be omitted. ## Encryption with Multiple Records From 63850db4fdfa1c76119d4062f06cd1ed81e3d386 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:55:59 +1100 Subject: [PATCH 07/12] Remove ad hoc, un-useful 7515 reference --- draft-ietf-httpbis-encryption-encoding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 91701451d..166db1511 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -245,7 +245,7 @@ keyid: salt: -: The "salt" parameter contains a base64url-encoded octets {{!RFC7515}} that is +: The "salt" parameter contains a base64url-encoded octets that is used as salt in deriving a unique content encryption key (see {{derivation}}). The "salt" parameter MUST be present, and MUST be exactly 16 octets long when decoded. The "salt" parameter MUST NOT be reused for two different payload From 80225a42a2e57555741f5d980b126645831dd09f Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:58:12 +1100 Subject: [PATCH 08/12] Note about || operator --- draft-ietf-httpbis-encryption-encoding.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 166db1511..7c731bf1d 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -287,6 +287,9 @@ aesgcm", a single zero octet and an optional context string: cek_info = "Content-Encoding: aesgcm" || 0x00 || context ~~~ +Note: +: Concatenation of octet sequences is represented by the `||` operator. + Unless otherwise specified, the context is a zero length octet sequence. Specifications that use this content coding MAY specify the use of an expanded context to cover additional inputs in the key derivation. From 7f3a35c60e635a782804e18a59c6ff884d38ed15 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 14:59:39 +1100 Subject: [PATCH 09/12] Grammar: that --- draft-ietf-httpbis-encryption-encoding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 7c731bf1d..1284655dc 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -306,7 +306,7 @@ therefore be simplified to the first 16 octets of a single HMAC: ## Nonce Derivation {#nonce} The nonce input to AEAD_AES_128_GCM is constructed for each record. The nonce -for each record is a 12 octet (96 bit) value is produced from the record +for each record is a 12 octet (96 bit) value that is produced from the record sequence number and a value derived from the input keying material. The input keying material and salt values are input to HKDF with different info From 31c4bc45e687b05ce7e51d2165c506e12edda628 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 15:00:21 +1100 Subject: [PATCH 10/12] an context, hehe --- draft-ietf-httpbis-encryption-encoding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 1284655dc..ebdbc018d 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -313,7 +313,7 @@ The input keying material and salt values are input to HKDF with different info and length parameters. The length (L) parameter is 12 octets. The info parameter for the nonce is the -ASCII-encoded string "Content-Encoding: nonce", a single zero octet and an +ASCII-encoded string "Content-Encoding: nonce", a single zero octet and a context: ~~~ inline From 8ea47392c0ac7e8725892b3e5d169a0f72e2b07a Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 15:04:20 +1100 Subject: [PATCH 11/12] Update XMLENC reference --- draft-ietf-httpbis-encryption-encoding.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index ebdbc018d..5ac6cc965 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -35,12 +35,16 @@ informative: author: - ins: D. Eastlake - ins: J. Reagle + - ins: F. Hirsch + - ins: T. Roessler - ins: T. Imamura - ins: B. Dillaway - ins: E. Simon - date: 2002-12 + - ins: K. Yiu + - ins: M. Nyström + date: 2013-01-24 seriesinfo: W3C REC - target: "http://www.w3.org/TR/xmlenc-core/" + target: "https://www.w3.org/TR/2013/REC-xmlenc-core1-20130411" AEBounds: title: "Limits on Authenticated Encryption Use in TLS" author: From 67b65dfdc7877f819463af89c8203a41cbc1d67c Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 19 Oct 2016 15:10:17 +1100 Subject: [PATCH 12/12] Explain why aesgcm doesn't need a dummy parameter --- draft-ietf-httpbis-encryption-encoding.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-encryption-encoding.md b/draft-ietf-httpbis-encryption-encoding.md index 5ac6cc965..9ea19c639 100644 --- a/draft-ietf-httpbis-encryption-encoding.md +++ b/draft-ietf-httpbis-encryption-encoding.md @@ -43,7 +43,7 @@ informative: - ins: K. Yiu - ins: M. Nyström date: 2013-01-24 - seriesinfo: W3C REC + seriesinfo: W3C Recommendation REC-xmlenc-core1-20130411 target: "https://www.w3.org/TR/2013/REC-xmlenc-core1-20130411" AEBounds: title: "Limits on Authenticated Encryption Use in TLS" @@ -224,7 +224,8 @@ Content codings that use the Encryption header field MUST always include a value for the header field when the content coding has been applied. If no parameters are needed, then a dummy value is necessary to avoid confusion about which set of parameters applies to which content coding. This requirement -applies to uses of the `aesgcm` content coding. +applies to uses of the `aesgcm` content coding, which does not need a dummy +value since the `salt` parameter is mandatory. Encryption header field values with multiple instances of the same parameter name in a single encryption-params production are invalid.