Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

"Dan Harkins" <dharkins@lounge.org> Mon, 12 November 2012 20:21 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D992C21F8681 for <cfrg@ietfa.amsl.com>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKtEn-oftuco for <cfrg@ietfa.amsl.com>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 5359621F862C for <cfrg@irtf.org>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 0F22B1022400A; Mon, 12 Nov 2012 12:21:13 -0800 (PST)
Received: from 50.84.73.44 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 12 Nov 2012 12:21:13 -0800 (PST)
Message-ID: <3bfc8545d5829d56d26ceafba6d8d1f3.squirrel@www.trepanning.net>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B0F50AA95@xmb-rcd-x04.cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F50AA95@xmb-rcd-x04.cisco.com>
Date: Mon, 12 Nov 2012 12:21:13 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2012 20:21:15 -0000

  Hi Mike,

> From: Mike Jones
> <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
> Date: Monday, November 12, 2012 1:55 PM
> To: Cisco Employee <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>,
> "cfrg@irtf.org<mailto:cfrg@irtf.org>"
> <cfrg@irtf.org<mailto:cfrg@irtf.org>>,
> "jose@ietf.org<mailto:jose@ietf.org>"
> <jose@ietf.org<mailto:jose@ietf.org>>
> Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA,
> version 01
>
> As background, if there was a version of this spec that did not assume
> that the parameters would be concatenated together in a specific way, but
> left them as independent inputs and outputs, as AES GCM and AES CTR do, it
> would be a better match for JOSE’s use case.

  I encourage you to look into SIV mode, an AEAD scheme found in
RFC 5297. SIV was defined by Rogaway and Shrimpton (in a paper
found in the RFC) and is provably secure.

  It takes a vector of input as additional authenticated data which will
be authenticated, and a plaintext which will be authenticated and
encrypted. It does not assume that the parameters are concatenated
together, it's just a vector of separate inputs.

  Additionally, SIV mode does not require a random IV/nonce. It works
just fine if you have one, and it won't collapse if it is repeated (as GCM
does) or is predictable (as CBC-HMAC does), and it works if you don't
have, or want to have, one. In that fashion it is more robust than other
AEAD schemes. The downside is that it's slower than GCM but is probably
faster than CBC-HMAC with SHA2.

  regards,

  Dan.