Re: [COSE] MAC with no recipient structures

"Jim Schaad" <ietf@augustcellars.com> Tue, 17 November 2015 01:23 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362B81A89FA for <cose@ietfa.amsl.com>; Mon, 16 Nov 2015 17:23:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9Vrdfqh2r-Y for <cose@ietfa.amsl.com>; Mon, 16 Nov 2015 17:23:55 -0800 (PST)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 793FE1A89F9 for <cose@ietf.org>; Mon, 16 Nov 2015 17:23:52 -0800 (PST)
Received: from hebrews (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id DD48D2C9C5; Mon, 16 Nov 2015 17:23:51 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, cose@ietf.org
References: <04e901d119ad$3207bea0$96173be0$@augustcellars.com> <BY2PR03MB442E641DA7A791CB8CCAD8AF51E0@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB442E641DA7A791CB8CCAD8AF51E0@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Mon, 16 Nov 2015 17:21:00 -0800
Message-ID: <010801d120d6$381c3d40$a854b7c0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIfvpSiX18QdRwxvFtmOBjrli/sGAKSUBmrne2coTA=
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/UVloj62whKVrouu6yXPoT4hmYkg>
Subject: Re: [COSE] MAC with no recipient structures
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 01:23:57 -0000

For this case, what is the benefit that you see for favoring HMAC over
AES-GCM?

Jim

> -----Original Message-----
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Monday, November 16, 2015 2:39 PM
> To: Jim Schaad <ietf@augustcellars.com>; cose@ietf.org
> Subject: RE: [COSE] MAC with no recipient structures
> 
> It should be up to the application whether a MAC operation or an
authenticated
> encryption operation is the best choice for the application.  COSE needs
to
> simply and efficiently support both, giving the application that choice.
> 
> One use case would be a CBOR mapping of OpenID Connect login for IoT usage
-
> replacing the JWT-based ID Token with a CWT-based ID Token.  This would
> often be used with symmetric crypto, where per RP/IdP symmetric HMAC keys
> are employed.  The ID Token (containing information about the
authentication
> that occurred) would use direct HMAC.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: COSE [mailto:cose-bounces@ietf.org] On Behalf Of Jim Schaad
> Sent: Saturday, November 07, 2015 2:40 PM
> To: cose@ietf.org
> Subject: [COSE] MAC with no recipient structures
> 
> People keep telling me that they want to have a version of MACs that do
not
> have a set of recipient information attached so that they can do direct
MACs.  I
> keep asking for a use case where this makes sense.  In all of the use
cases that I
> have been presented so far, a better answer is going to be to do an AEAD
> encrypted item rather than a MACed item.
> 
> The scenario that wants this is going to be:
> 
> Alice sends data to Bob in such a way that Bob can authenticate the data.
> Eve needs to be able to read the data in transit, without knowing if the
message
> contains data or misinformation and will act on the message as if it were
data.
> 
> The difference in message size between MAC and Encryption is going to be
> minimal, at most a few bytes.  The execution difference is going to be a
few
> extra encryption operations.
> 
> What use cases exist for this where encryption is not a better security
answer
> anyway.
> 
> Jim
> 
> 
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose