Re: [jose] [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
"David McGrew (mcgrew)" <mcgrew@cisco.com> Mon, 12 November 2012 19:42 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674EB21F8751 for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 11:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Level:
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6EV7gwLqZvp for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 11:42:38 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 0E58C21F85C0 for <jose@ietf.org>; Mon, 12 Nov 2012 11:42:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14309; q=dns/txt; s=iport; t=1352749358; x=1353958958; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=ufHUlhNVBUCu4Iq/mwoHq+dzKkXjb4UwLuBIU06fEwA=; b=c5mTZ9uhhrVnbxxCirEoSoR4I6BkaqzqJBHO4LWS95pfmeuwmHk5npTB duyu7gJwHorvkaGe+zqvEAUuDOnbIn3SgyoBS9I7qRdd0NVWRq+HOmfix QC45Qxl1LXfvksEdkJhDjx1ZqYNTBhS6oGPDZToO079UvbTX2xI2Gorxu A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArIFAD1QoVCtJXG+/2dsb2JhbABEgkmvHIkFAYhvgQiCHgEBAQQSARpeAQgOAwMBAQELHTkUCQgCBAESCAEZh2gLmVWgA4wVhWlhA5cYjTyBa4Jvghk
X-IronPort-AV: E=McAfee;i="5400,1158,6894"; a="138404565"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-9.cisco.com with ESMTP; 12 Nov 2012 19:42:37 +0000
Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id qACJgbCu017622 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 12 Nov 2012 19:42:37 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.200]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.02.0318.001; Mon, 12 Nov 2012 13:42:36 -0600
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Thread-Index: AQHNwQ3d4t8orcyRa0OnKgA6UvxDXw==
Date: Mon, 12 Nov 2012 19:42:36 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B0F50AA95@xmb-rcd-x04.cisco.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943668B026C@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.228]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19356.005
x-tm-as-result: No--38.562600-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_747787E65E3FBD4E93F0EB2F14DB556B0F50AA95xmbrcdx04ciscoc_"
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 12 Nov 2012 12:51:09 -0800
Subject: Re: [jose] [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2012 19:42:39 -0000
Hi Mike,
From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Date: Monday, November 12, 2012 1:55 PM
To: Cisco Employee <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>, "jose@ietf.org<mailto:jose@ietf.org>" <jose@ietf.org<mailto:jose@ietf.org>>
Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
As background, if there was a version of this spec that did not assume that the parameters would be concatenated together in a specific way, but left them as independent inputs and outputs, as AES GCM and AES CTR do, it would be a better match for JOSE’s use case.
I believe that what you are referring to is the inclusion of the authentication tag in the authenticated ciphertext. This is not just a property of draft-mcgrew-aead-aes-cbc-hmac-sha2; it is a feature of all 19 of the AEAD algorithms that have been defined so far. For comparison, draft-mcgrew-aead-aes-cbc-hmac-sha2 says
The AEAD Ciphertext consists of the string S, with the string T
appended to it. This Ciphertext is returned as the output of the
AEAD encryption operation.
Where S is the ciphertext and T is the authentication tag. RFC 5116 says
"The AEAD_AES_128_GCM ciphertext is formed by
appending the authentication tag provided as an output to the GCM
encryption operation to the ciphertext that is output by that
operation."
David
-- Mike
From: cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org> [mailto:cfrg-bounces@irtf.org] On Behalf Of David McGrew (mcgrew)
Sent: Monday, November 12, 2012 10:21 AM
To: cfrg@irtf.org<mailto:cfrg@irtf.org>; jose@ietf.org<mailto:jose@ietf.org>
Subject: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Hi,
There is a new version of "Authenticated Encryption with AES-CBC and HMAC-SHA", and I would appreciate your review. It is online at <https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/?include_text=1><https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/?include_text=1%3e> The diff between the current and the previous version is available at <http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-01><http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-01%3e>
This draft has been proposed for use in the JOSE WG <http://datatracker.ietf.org/wg/jose/><http://datatracker.ietf.org/wg/jose/%3e> , where its adoption would allow the working group to omit "raw" unauthenticated encryption, e.g. AES-CBC, and only include authenticated encryption. Thus I am asking for your help in making
John Foley generated test cases that correspond to the current version of the draft, but I didn't include these in the draft because I did not yet get confirmation from a second independent implementation. With hope, there will not be any need for any normative changes, and I will include these after I get confirmation.
Thanks,
David
- [jose] Authenticated Encryption with AES-CBC and … David McGrew (mcgrew)
- Re: [jose] Authenticated Encryption with AES-CBC … Michael Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] Authenticated Encryption with AES-CBC … Michael Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] Authenticated Encryption with AES-CBC … David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] [Cfrg] Authenticated Encryption with A… Manger, James H
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… Mike Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… Russ Housley
- Re: [jose] [Cfrg] Authenticated Encryption with A… Mike Jones