Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
"Dan Harkins" <dharkins@lounge.org> Mon, 12 November 2012 20:21 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D992C21F8681 for <cfrg@ietfa.amsl.com>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKtEn-oftuco for <cfrg@ietfa.amsl.com>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 5359621F862C for <cfrg@irtf.org>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 0F22B1022400A; Mon, 12 Nov 2012 12:21:13 -0800 (PST)
Received: from 50.84.73.44 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 12 Nov 2012 12:21:13 -0800 (PST)
Message-ID: <3bfc8545d5829d56d26ceafba6d8d1f3.squirrel@www.trepanning.net>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B0F50AA95@xmb-rcd-x04.cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F50AA95@xmb-rcd-x04.cisco.com>
Date: Mon, 12 Nov 2012 12:21:13 -0800
From: Dan Harkins <dharkins@lounge.org>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2012 20:21:15 -0000
Hi Mike, > From: Mike Jones > <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> > Date: Monday, November 12, 2012 1:55 PM > To: Cisco Employee <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, > "cfrg@irtf.org<mailto:cfrg@irtf.org>" > <cfrg@irtf.org<mailto:cfrg@irtf.org>>, > "jose@ietf.org<mailto:jose@ietf.org>" > <jose@ietf.org<mailto:jose@ietf.org>> > Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, > version 01 > > As background, if there was a version of this spec that did not assume > that the parameters would be concatenated together in a specific way, but > left them as independent inputs and outputs, as AES GCM and AES CTR do, it > would be a better match for JOSEs use case. I encourage you to look into SIV mode, an AEAD scheme found in RFC 5297. SIV was defined by Rogaway and Shrimpton (in a paper found in the RFC) and is provably secure. It takes a vector of input as additional authenticated data which will be authenticated, and a plaintext which will be authenticated and encrypted. It does not assume that the parameters are concatenated together, it's just a vector of separate inputs. Additionally, SIV mode does not require a random IV/nonce. It works just fine if you have one, and it won't collapse if it is repeated (as GCM does) or is predictable (as CBC-HMAC does), and it works if you don't have, or want to have, one. In that fashion it is more robust than other AEAD schemes. The downside is that it's slower than GCM but is probably faster than CBC-HMAC with SHA2. regards, Dan.
- [Cfrg] Authenticated Encryption with AES-CBC and … David McGrew (mcgrew)
- Re: [Cfrg] Authenticated Encryption with AES-CBC … David McGrew (mcgrew)
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Dan Harkins
- Re: [Cfrg] [jose] Authenticated Encryption with A… Michael Jones
- Re: [Cfrg] [jose] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [Cfrg] Authenticated Encryption with AES-CBC … David McGrew (mcgrew)
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Dan Harkins
- Re: [Cfrg] [jose] Authenticated Encryption with A… Michael Jones
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Dan Harkins
- Re: [Cfrg] [jose] Authenticated Encryption with A… Manger, James H
- Re: [Cfrg] [jose] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Mike Jones
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Russ Housley
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Tolga Acar
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Mike Jones
- Re: [Cfrg] Authenticated Encryption with AES-CBC … David Jacobson
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Tolga Acar
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Igoe, Kevin M.
- Re: [Cfrg] Authenticated Encryption with AES-CBC … David McGrew (mcgrew)
- Re: [Cfrg] Authenticated Encryption with AES-CBC … Manger, James H
- Re: [Cfrg] [jose] Authenticated Encryption with A… Ben Laurie