Re: [jose] AESWrap vs ECB key wrap
"Jim Schaad" <ietf@augustcellars.com> Tue, 07 August 2012 19:04 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05DAA21F87CB for <jose@ietfa.amsl.com>; Tue, 7 Aug 2012 12:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.569
X-Spam-Level:
X-Spam-Status: No, score=-3.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4oR07ObsSAfx for <jose@ietfa.amsl.com>; Tue, 7 Aug 2012 12:04:13 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id F305621F855E for <jose@ietf.org>; Tue, 7 Aug 2012 12:04:12 -0700 (PDT)
Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id BAF9238EA7; Tue, 7 Aug 2012 12:04:12 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: "'Manger, James H'" <James.H.Manger@team.telstra.com>, jose@ietf.org
References: <255B9BB34FB7D647A506DC292726F6E114FA1E3F93@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114FA1E3F93@WSMSG3153V.srv.dir.telstra.com>
Date: Tue, 07 Aug 2012 12:02:46 -0700
Message-ID: <015101cd74cf$3b6ddb40$b24991c0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJOEqYX4FEpAj/QYUBhxmva5HYVMpZNeJ0w
Content-Language: en-us
Subject: Re: [jose] AESWrap vs ECB key wrap
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2012 19:04:14 -0000
> -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > Manger, James H > Sent: Thursday, August 02, 2012 12:17 AM > To: jose@ietf.org > Subject: [jose] AESWrap vs ECB key wrap > > I noticed an "ECB key wrap" option was discussed at the IETF meeting, as an > alternative to AESWrap [RFC 3394]. > > I hadn't looked closely at AESWrap before. Its important features seem to > be: > 1. Only defined for content keys that are a multiple of 64-bits 2. Adds an > overhead of 64 bits (= 8 bytes = 12 B64 chars) 3. Offers a 64-bit integrity check > (from the overhead) 4. Performs 12 AES operations for each 64-bits of the > content key Do you believe that there is an issue with saying that key sizes are going to be a multiple of 64 bits? If so please speak up now and we can change this > > I assume an ECB key wrap, in contrast, would avoid the 64-bit overhead by > dropping the integrity check and only use 1/24th of the AES operations. > Would it also use, say, ciphertext stealing so there is no size overhead for any > content key size? There however is an issue where you cannot encrypt more than 128-bits of key material. This means that it would not be usable for many algorithms that are in the current specification. > > If a 12 byte overhead (when base64url-encoded) is too small to worry about > (and an extra, say, 46 AES operations is immaterial), then JOSE should keep > AESWrap as the only choice. It still need to define how to use AESWrap for > content keys that are not a multiple of 64-bits. Perhaps one byte of the > integrity check is changed to indicate the content key length? > > If size is going to be absolutely crucial for some use cases, then an ECB key > wrap could help. Such a size-constrained situation would probably need > other changes as well, such as the choice of a shorted IV and integrity tag for > AES-GCM (than the 128-bits and 96-bits picked in JWA). > > -- > James Manger > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] AESWrap vs ECB key wrap Manger, James H
- Re: [jose] AESWrap vs ECB key wrap Manger, James H
- Re: [jose] AESWrap vs ECB key wrap Jim Schaad
- Re: [jose] AESWrap vs ECB key wrap Anthony Nadalin
- Re: [jose] AESWrap vs ECB key wrap Manger, James H
- Re: [jose] AESWrap vs ECB key wrap Jim Schaad