Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

"David McGrew (mcgrew)" <> Mon, 12 November 2012 19:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6820421F875C for <>; Mon, 12 Nov 2012 11:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id f8XnRrUb6-ab for <>; Mon, 12 Nov 2012 11:42:38 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 168C021F8748 for <>; Mon, 12 Nov 2012 11:42:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=14309; q=dns/txt; s=iport; t=1352749358; x=1353958958; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=ufHUlhNVBUCu4Iq/mwoHq+dzKkXjb4UwLuBIU06fEwA=; b=c5mTZ9uhhrVnbxxCirEoSoR4I6BkaqzqJBHO4LWS95pfmeuwmHk5npTB duyu7gJwHorvkaGe+zqvEAUuDOnbIn3SgyoBS9I7qRdd0NVWRq+HOmfix QC45Qxl1LXfvksEdkJhDjx1ZqYNTBhS6oGPDZToO079UvbTX2xI2Gorxu A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArIFAD1QoVCtJXG+/2dsb2JhbABEgkmvHIkFAYhvgQiCHgEBAQQSARpeAQgOAwMBAQELHTkUCQgCBAESCAEZh2gLmVWgA4wVhWlhA5cYjTyBa4Jvghk
X-IronPort-AV: E=McAfee;i="5400,1158,6894"; a="138404565"
Received: from ([]) by with ESMTP; 12 Nov 2012 19:42:37 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id qACJgbCu017622 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 12 Nov 2012 19:42:37 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.001; Mon, 12 Nov 2012 13:42:36 -0600
From: "David McGrew (mcgrew)" <>
To: Mike Jones <>, "" <>, "" <>
Thread-Topic: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Thread-Index: AQHNwQ3d4t8orcyRa0OnKgA6UvxDXw==
Date: Mon, 12 Nov 2012 19:42:36 +0000
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
x-tm-as-product-ver: SMEX-
x-tm-as-result: No--38.562600-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_747787E65E3FBD4E93F0EB2F14DB556B0F50AA95xmbrcdx04ciscoc_"
MIME-Version: 1.0
Subject: Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Nov 2012 19:42:39 -0000

Hi Mike,

From: Mike Jones <<>>
Date: Monday, November 12, 2012 1:55 PM
To: Cisco Employee <<>>, "<>" <<>>, "<>" <<>>
Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

As background, if there was a version of this spec that did not assume that the parameters would be concatenated together in a specific way, but left them as independent inputs and outputs, as AES GCM and AES CTR do, it would be a better match for JOSE’s use case.

I believe that what you are referring to is the inclusion of the authentication tag in the authenticated ciphertext.   This is not just a property of draft-mcgrew-aead-aes-cbc-hmac-sha2; it is a feature of all 19 of the AEAD algorithms that have been defined so far.   For comparison, draft-mcgrew-aead-aes-cbc-hmac-sha2 says

       The AEAD Ciphertext consists of the string S, with the string T
       appended to it.  This Ciphertext is returned as the output of the
       AEAD encryption operation.

Where S is the ciphertext and T is the authentication tag.   RFC 5116 says

                                     "The AEAD_AES_128_GCM ciphertext is formed by
   appending the authentication tag provided as an output to the GCM
   encryption operation to the ciphertext that is output by that


                                                            -- Mike

From:<> [] On Behalf Of David McGrew (mcgrew)
Sent: Monday, November 12, 2012 10:21 AM
Subject: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01


There is a new version of "Authenticated Encryption with AES-CBC and HMAC-SHA", and I would appreciate your review.   It is online at <><>   The diff between the current and the previous version is available at <><>

This draft has been proposed for use in the JOSE WG <><> , where its adoption would allow the working group to omit "raw" unauthenticated encryption, e.g. AES-CBC, and only include authenticated encryption.   Thus I am asking for your help in making

John Foley generated test cases that correspond to the current version of the draft, but I didn't include these in the draft because I did not yet get confirmation from a second independent implementation.   With hope, there will not be any need for any normative changes, and I will include these after I get confirmation.