Re: [jose] [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

"David McGrew (mcgrew)" <> Tue, 13 November 2012 16:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70B1421F8774 for <>; Tue, 13 Nov 2012 08:31:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oU-4+GjtK1BL for <>; Tue, 13 Nov 2012 08:31:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 98C4621F8718 for <>; Tue, 13 Nov 2012 08:31:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=24252; q=dns/txt; s=iport; t=1352824307; x=1354033907; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=HOAweE7u4s4DT3cNeIP4WIBrnrr2Mu0ih4Y27BymVsQ=; b=SAlY6fATgy5x/j+5hkwRef4P2kReUdlaGw2bxlKz27hbyBE+ifdpZqDf Mu56PFy9X4iZAM0U2XA4pEwyYsf1fUc5F4RGzJRfKMIb3S/GmwyL5jM2Z 23nkftno7kQWIsuPEWYoxGHwe3cWcbPB3hB0GJ7YI/h2Xrmka4kWxUPlH k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAIt0olCtJV2d/2dsb2JhbABEgknBJIEIgh4BAQEEEgEaXgEIEQMBAQELFgc5FAkIAgQBEggBEgeHVgMPC5oXj2WGTx2JRIwqhXNhA6RUgWuCb4IZ
X-IronPort-AV: E=McAfee;i="5400,1158,6894"; a="141958792"
Received: from ([]) by with ESMTP; 13 Nov 2012 16:31:44 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id qADGVhuM030265 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 13 Nov 2012 16:31:44 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.001; Tue, 13 Nov 2012 10:31:43 -0600
From: "David McGrew (mcgrew)" <>
To: "Manger, James H" <>, "" <>, "" <>
Thread-Topic: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Date: Tue, 13 Nov 2012 16:31:42 +0000
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
x-tm-as-product-ver: SMEX-
x-tm-as-result: No--32.424200-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_747787E65E3FBD4E93F0EB2F14DB556B0F50AFD6xmbrcdx04ciscoc_"
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 13 Nov 2012 14:23:36 -0800
Subject: Re: [jose] [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Nov 2012 16:31:54 -0000

Hi James,

From: <Manger>, James H <<>>
Date: Tuesday, November 13, 2012 1:33 AM
To: Cisco Employee <<>>, "<>" <<>>, "<>" <<>>
Subject: RE: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01


This is much clearer, and much more suitable for separating what goes in a JOSE library vs what goes in a general-purpose crypto library. Even if a JOSE library needs to implement parts of the crypto today because native AEAD support is not yet present, this solution makes it much more likely JOSE will be compatible with native AEAD as it becomes available. I think it is unlikely that native AEAD support (once available) would support both JOSE and draft-mcgrew variants of AEAD-from-AES-CBC-HMAC. The draft-mcgrew variant has a better chance of being implemented because it doesn’t impose a 33% performance penalty for the MACing part, and the other differences are trivial.

The fact that some existing AEAD algorithms (SIV [RFC 5297]) don’t produce a separate authentication tag is a clear indication that a single ciphertext output is a better general model for AEAD in JOSE than separate ciphertext and integrity values as in JWE today.

“JWE Initialization Vector” should be renamed “JWE Nonce”.
The nonce paragraph needn’t hardwire 2 lengths (0 and 96 bits) – leave it to each alg to specify.
The table can include key and nonce sizes.
    "enc"                key size    nonce size  Algorithm
    "A128GCM"   16 bytes    12 bytes     AEAD_AES_128_GCM
    "A256GCM"   32 bytes    12 bytes     AEAD_AES_256_GCM
     "A128CHS"     48 bytes     0 bytes      AEAD_AES_128_CBC_HMAC_SHA_256
     "A256CHS"     64 bytes     0 bytes      AEAD_AES_256_CBC_HMAC_SHA_512

Thanks for the good suggestions (agreed on all of them) and support.



James Manger

From:<> [] On Behalf Of David McGrew (mcgrew)
Sent: Tuesday, 13 November 2012 10:20 AM
To: Michael Jones;<>;<>
Subject: Re: [Cfrg] [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01

I am not dogmatically opposed to other interfaces, but the best solution here is for JOSE to actually use the 5116 interface, like this:

X.Y. Authenticated Encryption

   This section defines the specifics of encrypting the JWE Plaintext
   Using the Authenticated Encryption with Associated Data (AEAD)
   as defined in RFC 5116.   The authenticated encryption operation
   has four inputs, as follows:

     The secret key is the CMK.

     The associated data is the bytes of the ASCII representation of the concatenation of
     the Encoded JWE Header, a period ('.') character, the Encoded JWE
     Encrypted Key, a second period character ('.'), and the Encoded JWE
     Initialization Vector, per Section 5 of the JWE specification.

      The plaintext , which contains the data to be encrypted and

      A nonce N, with a length of either 0 or 96 bits.   If the length
      is zero, the nonce is omitted.  Otherwise, the nonce
      is as described in Section 3 of RFC 5116.

   There is a single output, the Ciphertext.

   The "enc" header  parameter values are set as follows:

    "enc"                  Algorithm
    "A128GCM"     AEAD_AES_128_GCM
    "A256GCM"     AEAD_AES_256_GCM
     "A128CHS"      AEAD_AES_128_CBC_HMAC_SHA_256
     "A256CHS"      AEAD_AES_256_CBC_HMAC_SHA_512
      "A128SIV"      AEAD_AES_SIV_CMAC_256
      "A256SIV"      AEAD_AES_SIV_CMAC_384

      See <><> for the
     references corresponding to these symbolic names.