Re: [jose] Use of AES-HMAC algorithm - Consensus Request
Russ Housley <housley@vigilsec.com> Fri, 05 April 2013 13:46 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0988A21F97AF for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 06:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PETF-anIgqJi for <jose@ietfa.amsl.com>; Fri, 5 Apr 2013 06:46:24 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 8FF5621F97AE for <jose@ietf.org>; Fri, 5 Apr 2013 06:46:24 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 676B6F2406B; Fri, 5 Apr 2013 09:46:35 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id YV9DgfsvpfD7; Fri, 5 Apr 2013 09:46:09 -0400 (EDT)
Received: from [192.168.2.100] (pool-173-79-232-68.washdc.fios.verizon.net [173.79.232.68]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 5E1F49A40F4; Fri, 5 Apr 2013 09:46:29 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <017a01ce318f$482d8470$d8888d50$@augustcellars.com>
Date: Fri, 05 Apr 2013 09:46:16 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F8202A1-81B2-474E-A18A-665F9BE7DCD2@vigilsec.com>
References: <017a01ce318f$482d8470$d8888d50$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.1085)
Cc: jose@ietf.org
Subject: Re: [jose] Use of AES-HMAC algorithm - Consensus Request
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 13:46:26 -0000
I have a minor preference for the KDF. The KDF eliminates any bias in the base key, and the KDF support the use of a base key with just enough entropy to be secure. Russ On Apr 4, 2013, at 7:51 PM, Jim Schaad wrote: > <chair> > > At the request of the editors, this is a formal consensus call on the first > item in the list below. If there are objects to use a single long key > rather than a KDF function for the AES-CBC/HMAC algorithm please speak up > now. To date nobody has said that I was wrong to assume the consensus on > that item. > > Call ends in one week. > > Jim > > >> -----Original Message----- >> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > Jim >> Schaad >> Sent: Wednesday, March 27, 2013 3:21 PM >> To: jose@ietf.org >> Subject: [jose] Use of AES-HMAC algorithm >> >> <chair> >> After spending time looking at and thinking about how to resolve this > issue >> since I was unable to do so at the last F2F meeting. I have come up with > the >> following set of issues that might need to be addressed as part of > resolving >> this issue. >> >> 1. Do we change from using KDC to having a double size key for the >> algorithm? I think that there is probably a consensus that this should be > done. >> >> 2. Should IVs be prepended to the encrypted body as part of the encoding >> steps? If so then this change should be universal. >> >> Doing so would eliminate one field from all of the encoding formats which >> should be considered a plus. >> Doing so would force code writers to understand how large the IV is for > all >> algorithms as the IV would no longer be a separate item. >> >> 3. Should Authentication Tags be appended to the encrypted body as part of >> the encoding steps? >> >> Doing so would eliminate one field from all of the encoding formats which >> should be considered a plus. >> Doing so would force code writers to understand how large the IV is for > all >> algorithms as the IV would no longer be a separate item. >> Doing so would force a re-organization for the multiple recipient case as >> either all recipient specific data would need to be excluded from the >> authentication step or all of the recipient data would need to be included > for >> by all recipients. >> Changing how the recipient info is process is going to give a performance >> benefit for sending encrypted items for multiple recipients. >> The current strategy of a single IV and key pair with AES-GCM and > different >> authentication data needs to have CFRG look at it. I am worried that it > might >> be a serious security flaw. >> >> 4. Should we reference the McGrew draft and provide text on how things are >> changed or should we "copy" the draft into our text? >> >> 5. If we allow for the use of AES-GCM or AES-HMAC for doing key wrapping, >> does this change how we think about any of the above questions? >> >> Allowing for AES-GCM for key wrapping has a benefit for hardware > situations >> as only the encrypt and not the decrypt functions need to be placed in >> hardware. However allowing for this key wrapping give a problem as there > is >> no way to encode the three fields into the encrypted value unless with use >> either a JSON structure in this location or we do use the single appended >> binary output stream. The first approach leads to an expansion of the > field by >> double base64 encoding which is highly undesirable. >> >> Jim >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Jim Schaad
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Mike Jones
- Re: [jose] Use of AES-HMAC algorithm - Consensus … John Bradley
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Russ Housley
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Peck, Michael A
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Matt Miller (mamille2)
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Nat Sakimura
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Edmund Jay
- Re: [jose] Use of AES-HMAC algorithm - Consensus … John Bradley