Re: [jose] JWA replicating mcgrew-aead-aes-cbc-hmac-sha2

Mike Jones <> Wed, 01 May 2013 06:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 21DFD21F8D92 for <>; Tue, 30 Apr 2013 23:36:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.605
X-Spam-Status: No, score=-1.605 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FS_REPLICA=0.994]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qF6BBX76iffB for <>; Tue, 30 Apr 2013 23:36:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 924A221F8D90 for <>; Tue, 30 Apr 2013 23:35:59 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.687.1; Wed, 1 May 2013 06:35:58 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.687.1 via Frontend Transport; Wed, 1 May 2013 06:35:57 +0000
Received: from ([]) by ([]) with mapi id 14.02.0318.003; Wed, 1 May 2013 06:35:56 +0000
From: Mike Jones <>
To: "Manger, James H" <>, "" <>
Thread-Topic: JWA replicating mcgrew-aead-aes-cbc-hmac-sha2
Thread-Index: Ac5EIYicMEZT77oGS+2g3rgYBdJD9wCE4WwQ
Date: Wed, 1 May 2013 06:35:55 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(199002)(189002)(13464002)(33656001)(46406003)(74366001)(74706001)(56816002)(76482001)(54316002)(56776001)(6806003)(74662001)(23726002)(46102001)(51856001)(50466002)(54356001)(74502001)(47446002)(77982001)(79102001)(59766001)(55846006)(81542001)(16406001)(47736001)(53806001)(31966008)(50986001)(47976001)(4396001)(69226001)(49866001)(81342001)(66066001)(80022001)(65816001)(20776003)(47776003)(63696002); DIR:OUT; SFP:; SCL:1; SRVR:BN1BFFO11HUB027;; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Forefront-PRVS: 08331F819E
Subject: Re: [jose] JWA replicating mcgrew-aead-aes-cbc-hmac-sha2
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 May 2013 06:36:06 -0000

Hi James,

The text was duplicated so that there would be a complete description of the new algorithms, including test cases for implementers, in time for the interim JOSE working group meeting held the last two days.

Once the McGrew draft has been refactored to separate the description of the calculation steps (which JOSE is using) from the AEAD representation steps (which JOSE is not using), and to include test vector values that show results without performing the AEAD representation concatenations, I agree that we'll be able to just reference it, rather than duplicating it.

(I have no objection to the McGrew draft also describing the additional AEAD representation steps and including additional test result values that combine the outputs in the AEAD manner for implementations that choose to use that encoding - indeed, I agree that there's value in doing so for some use cases - they just need to be factored out, because they're separable from the cryptographic algorithm itself.)

				-- Mike

-----Original Message-----
From: [] On Behalf Of Manger, James H
Sent: Sunday, April 28, 2013 8:03 AM
Subject: [jose] JWA replicating mcgrew-aead-aes-cbc-hmac-sha2

JOSE is at last using draft-mcgrew-aead-aes-cbc-hmac-sha2, but why is so much duplicated in JWA instead of referenced? JOSE should have 1 sentence saying:

  The JOSE "alg" strings "A128CBC-HS256" and "A256CBC-HS512" correspond to the AEAD_AES_128_CBC_HMAC_SHA_256 and AEAD_AES_256_CBC_HMAC_SHA_512 algorithms defined in [I-D.mcgrew-aead-aes-cbc-hmac-sha2].

That should be enough. Drop the other 4 pages of JWA on this.

If we really insist on breaking the RFC 5116 AEAD model, add 1 more paragraph.

  In [I-D.mcgrew-aead-aes-cbc-hmac-sha2] the ciphertext includes the CBC initialization vector as a prefix and the truncated HMAC as a suffix. In a JOSE these two fields are separated from the ciphertext and treated as the JWE Nonce and JWE Authentication Tag respectively. The JWE Ciphertext is the remaining ciphertext (ie minus the prefix and suffix).

Why does JWA duplicate test cases for AES_CBC_HMAC_SHA2 (Appendix C) that will be in draft-mcgrew-aead-aes-cbc-hmac-sha2? The test cases are not even JOSE messages. I hope this is a temporary addition pending the publication of draft-mcgrew-aead-aes-cbc-hmac-sha2-02 (with the test cases).

James Manger
jose mailing list