IETF Logo Mail Archive

Re: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

"David McGrew (mcgrew)" <mcgrew@cisco.com> Tue, 13 November 2012 16:31 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70AB721F8771 for <cfrg@ietfa.amsl.com>; Tue, 13 Nov 2012 08:31:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Level:
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIgCe2CtVJWh for <cfrg@ietfa.amsl.com>; Tue, 13 Nov 2012 08:31:50 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id BB5E121F8743 for <cfrg@irtf.org>; Tue, 13 Nov 2012 08:31:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24252; q=dns/txt; s=iport; t=1352824307; x=1354033907; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=HOAweE7u4s4DT3cNeIP4WIBrnrr2Mu0ih4Y27BymVsQ=; b=SAlY6fATgy5x/j+5hkwRef4P2kReUdlaGw2bxlKz27hbyBE+ifdpZqDf Mu56PFy9X4iZAM0U2XA4pEwyYsf1fUc5F4RGzJRfKMIb3S/GmwyL5jM2Z 23nkftno7kQWIsuPEWYoxGHwe3cWcbPB3hB0GJ7YI/h2Xrmka4kWxUPlH k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAIt0olCtJV2d/2dsb2JhbABEgknBJIEIgh4BAQEEEgEaXgEIEQMBAQELFgc5FAkIAgQBEggBEgeHVgMPC5oXj2WGTx2JRIwqhXNhA6RUgWuCb4IZ
X-IronPort-AV: E=McAfee;i="5400,1158,6894"; a="141958792"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-3.cisco.com with ESMTP; 13 Nov 2012 16:31:44 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id qADGVhuM030265 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 13 Nov 2012 16:31:44 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.200]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.02.0318.001; Tue, 13 Nov 2012 10:31:43 -0600
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Thread-Index: AQHNwQJ1KPZ1PBWsRUecOePTOEDiwZfnCigA///dCgCAAFxuQIAAw+YA
Date: Tue, 13 Nov 2012 16:31:42 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B0F50AFD6@xmb-rcd-x04.cisco.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E115004FD4BA@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.228]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19360.002
x-tm-as-result: No--32.424200-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_747787E65E3FBD4E93F0EB2F14DB556B0F50AFD6xmbrcdx04ciscoc_"
MIME-Version: 1.0
Subject: Re: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2012 16:31:54 -0000

Hi James,

From: <Manger>, James H <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>>
Date: Tuesday, November 13, 2012 1:33 AM
To: Cisco Employee <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>, "jose@ietf.org<mailto:jose@ietf.org>" <jose@ietf.org<mailto:jose@ietf.org>>
Subject: RE: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

+10

This is much clearer, and much more suitable for separating what goes in a JOSE library vs what goes in a general-purpose crypto library. Even if a JOSE library needs to implement parts of the crypto today because native AEAD support is not yet present, this solution makes it much more likely JOSE will be compatible with native AEAD as it becomes available. I think it is unlikely that native AEAD support (once available) would support both JOSE and draft-mcgrew variants of AEAD-from-AES-CBC-HMAC. The draft-mcgrew variant has a better chance of being implemented because it doesn’t impose a 33% performance penalty for the MACing part, and the other differences are trivial.

The fact that some existing AEAD algorithms (SIV [RFC 5297]) don’t produce a separate authentication tag is a clear indication that a single ciphertext output is a better general model for AEAD in JOSE than separate ciphertext and integrity values as in JWE today.

Editorials:
“JWE Initialization Vector” should be renamed “JWE Nonce”.
The nonce paragraph needn’t hardwire 2 lengths (0 and 96 bits) – leave it to each alg to specify.
The table can include key and nonce sizes.
    "enc"                key size    nonce size  Algorithm
    -----------------------------------------------------------------------
    "A128GCM"   16 bytes    12 bytes     AEAD_AES_128_GCM
    "A256GCM"   32 bytes    12 bytes     AEAD_AES_256_GCM
     "A128CHS"     48 bytes     0 bytes      AEAD_AES_128_CBC_HMAC_SHA_256
     "A256CHS"     64 bytes     0 bytes      AEAD_AES_256_CBC_HMAC_SHA_512

Thanks for the good suggestions (agreed on all of them) and support.

Regards,

David


--
James Manger

From: cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org> [mailto:cfrg-bounces@irtf.org] On Behalf Of David McGrew (mcgrew)
Sent: Tuesday, 13 November 2012 10:20 AM
To: Michael Jones; cfrg@irtf.org<mailto:cfrg@irtf.org>; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

…
I am not dogmatically opposed to other interfaces, but the best solution here is for JOSE to actually use the 5116 interface, like this:

X.Y. Authenticated Encryption

   This section defines the specifics of encrypting the JWE Plaintext
   Using the Authenticated Encryption with Associated Data (AEAD)
   as defined in RFC 5116.   The authenticated encryption operation
   has four inputs, as follows:

     The secret key is the CMK.

     The associated data is the bytes of the ASCII representation of the concatenation of
     the Encoded JWE Header, a period ('.') character, the Encoded JWE
     Encrypted Key, a second period character ('.'), and the Encoded JWE
     Initialization Vector, per Section 5 of the JWE specification.

      The plaintext , which contains the data to be encrypted and
      authenticated.

      A nonce N, with a length of either 0 or 96 bits.   If the length
      is zero, the nonce is omitted.  Otherwise, the nonce
      is as described in Section 3 of RFC 5116.

   There is a single output, the Ciphertext.

   The "enc" header  parameter values are set as follows:

    "enc"                  Algorithm
    -----------------------------------------------------------------------
    "A128GCM"     AEAD_AES_128_GCM
    "A256GCM"     AEAD_AES_256_GCM
     "A128CHS"      AEAD_AES_128_CBC_HMAC_SHA_256
     "A256CHS"      AEAD_AES_256_CBC_HMAC_SHA_512
      "A128SIV"      AEAD_AES_SIV_CMAC_256
      "A256SIV"      AEAD_AES_SIV_CMAC_384

      See <http://www.iana.org/assignments/aead-parameters/aead-parameters.xml><http://www.iana.org/assignments/aead-parameters/aead-parameters.xml%3e> for the
     references corresponding to these symbolic names.

v2.23.0 | Report a Bug | By Email