Re: [jose] [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
"Dan Harkins" <dharkins@lounge.org> Mon, 12 November 2012 20:21 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAAF021F868D for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXhn+txaP9ta for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 4CAC621F8674 for <jose@ietf.org>; Mon, 12 Nov 2012 12:21:14 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 0F22B1022400A; Mon, 12 Nov 2012 12:21:13 -0800 (PST)
Received: from 50.84.73.44 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 12 Nov 2012 12:21:13 -0800 (PST)
Message-ID: <3bfc8545d5829d56d26ceafba6d8d1f3.squirrel@www.trepanning.net>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B0F50AA95@xmb-rcd-x04.cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F50AA95@xmb-rcd-x04.cisco.com>
Date: Mon, 12 Nov 2012 12:21:13 -0800
From: Dan Harkins <dharkins@lounge.org>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Mailman-Approved-At: Mon, 12 Nov 2012 22:26:20 -0800
Cc: Mike Jones <michael.jones@microsoft.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2012 20:21:15 -0000
Hi Mike, > From: Mike Jones > <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> > Date: Monday, November 12, 2012 1:55 PM > To: Cisco Employee <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, > "cfrg@irtf.org<mailto:cfrg@irtf.org>" > <cfrg@irtf.org<mailto:cfrg@irtf.org>>, > "jose@ietf.org<mailto:jose@ietf.org>" > <jose@ietf.org<mailto:jose@ietf.org>> > Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, > version 01 > > As background, if there was a version of this spec that did not assume > that the parameters would be concatenated together in a specific way, but > left them as independent inputs and outputs, as AES GCM and AES CTR do, it > would be a better match for JOSEs use case. I encourage you to look into SIV mode, an AEAD scheme found in RFC 5297. SIV was defined by Rogaway and Shrimpton (in a paper found in the RFC) and is provably secure. It takes a vector of input as additional authenticated data which will be authenticated, and a plaintext which will be authenticated and encrypted. It does not assume that the parameters are concatenated together, it's just a vector of separate inputs. Additionally, SIV mode does not require a random IV/nonce. It works just fine if you have one, and it won't collapse if it is repeated (as GCM does) or is predictable (as CBC-HMAC does), and it works if you don't have, or want to have, one. In that fashion it is more robust than other AEAD schemes. The downside is that it's slower than GCM but is probably faster than CBC-HMAC with SHA2. regards, Dan.
- [jose] Authenticated Encryption with AES-CBC and … David McGrew (mcgrew)
- Re: [jose] Authenticated Encryption with AES-CBC … Michael Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] Authenticated Encryption with AES-CBC … Michael Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] Authenticated Encryption with AES-CBC … David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] [Cfrg] Authenticated Encryption with A… Manger, James H
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… Mike Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… Russ Housley
- Re: [jose] [Cfrg] Authenticated Encryption with A… Mike Jones