Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

["Manger, James H" <James.H.Manger@team.telstra.com>]

> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of John Bradley
> Sent: Friday, 26 April 2013 9:08 AM
>
> I think there were two issues identified.
>
> ...
> 2.  Encrypting the same plaintext multiple times with the same IV and CMK but changing the AAD.   The problem with this is slightly less clear.   There will be multiple tags generated one for each different AAD.  To produce the tag you encrypt the final hash value with the block is xored with the IV block encrypted with the CMK.  
>
> I don't personally know of an attack that can exploit having multiple tags xored with the same value.   My take on it from Mc Grew's comment on the list was it is probably not a good thing.   I think Mike and I both took from the conversation that producing multiple tag values that are xord with the same encrypted value is not something that was recommended.
>
> If I have that wrong now would be a good time to say that the practice is OK.   


Rename "IV" to "Nonce" (as it is labelled in RFC 5116 "Authenticated Encryption" for instance) and the problem is clearer: the point of a nonce is that it is only used once (per key).

JOSE cannot keep its current multiple recipient mode as it breaks the general model of an AEAD algorithm. RFC 5116 section 2.1: "Each nonce provided to distinct invocations of the Authenticated Encryption operation MUST be distinct, for any particular value of the key, unless each and every nonce is zero-length". Regardless of whether or not using GCM with same-nonce-and-plaintext-different-AAD is ok, it will not be ok with other AEAD algs, such as SIV [RFC 5297]. Considering any authentication tag to be part of the ciphertext (JOSE issue #11) would avoid this sort of crypto craziness.

--
James Manger