Core 8.1: Revise example pairwise algorithms
I recently saw people try to implement pairwise IDs by following the provided crypto examples 1:1. I think we can provide better guidance on that. I discussed that with Tim McLean, who you probably remember from his security review on JWT libs two years back.
On example 1:
Calculate sub = SHA-256 ( sector_identifier || local_account_id || salt )
Instead of suggesting that people build their own PRF, we could point them to standard HMAC.
On example 2:
Calculate sub = AES-128 ( sector_identifier || local_account_id || salt )
Similarly, here we could point developers to the existing standard on AES encryption in SIV mode (RFC 5297), which offers deterministic authenticated encryption:
Comments (2)
-
-
- changed status to on hold
This issue was discussed on the February 6, 2017 OpenID Connect working group call. The conclusion was that this doesn't appear to be a necessary errata action to apply to the current specification. If we ever do a Core 1.1 specification we can reopen this at that time.
I'll also note that AES-SIV is not an algorithm defined for use with JOSE.
- Log in to comment
I think that using HMAC with salt as the key or AES SIV are valid alternate ways of doing the same thing. I don't think our examples are bad they explain the goal. I am OK with adding more examples. Not all implementations support SIV.