[jose] PBES2-HS256+A256KW or PBES2-HS512+A256KW?

Mike Jones <Michael.Jones@microsoft.com> Thu, 18 July 2013 21:26 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4C7FC11E821C for <jose@ietfa.amsl.com>; Thu, 18 Jul 2013 14:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.72
X-Spam-Status: No, score=-3.72 tagged_above=-999 required=5 tests=[AWL=-0.122, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id L7kXIZyBDcyw for <jose@ietfa.amsl.com>; Thu, 18 Jul 2013 14:26:48 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id E167711E8209 for <jose@ietf.org>; Thu, 18 Jul 2013 14:26:47 -0700 (PDT)
Received: from mail69-ch1-R.bigfish.com ( by CH1EHSOBE007.bigfish.com ( with Microsoft SMTP Server id; Thu, 18 Jul 2013 21:26:47 +0000
Received: from mail69-ch1 (localhost []) by mail69-ch1-R.bigfish.com (Postfix) with ESMTP id 3E80BC0334; Thu, 18 Jul 2013 21:26:47 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -1
X-BigFish: VS-1(zzc85fhd772h4015Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1d7338h17326ah18c673h1de097h1de096h8275bh8275dhz2fh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail69-ch1: domain of microsoft.com designates as permitted sender) client-ip=; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail69-ch1 (localhost.localdomain []) by mail69-ch1 (MessageSwitch) id 1374182805451998_28074; Thu, 18 Jul 2013 21:26:45 +0000 (UTC)
Received: from CH1EHSMHS012.bigfish.com (snatpool2.int.messaging.microsoft.com []) by mail69-ch1.bigfish.com (Postfix) with ESMTP id 5EDD11E0047; Thu, 18 Jul 2013 21:26:45 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com ( by CH1EHSMHS012.bigfish.com ( with Microsoft SMTP Server (TLS) id; Thu, 18 Jul 2013 21:26:44 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([]) with mapi id 14.03.0136.001; Thu, 18 Jul 2013 21:26:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Sean Turner <turners@ieca.com>
Thread-Topic: PBES2-HS256+A256KW or PBES2-HS512+A256KW?
Thread-Index: Ac6D/X6i731YwNWqSou0hS+H2eCoCw==
Date: Thu, 18 Jul 2013 21:26:42 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B6EC773@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B6EC773TK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: [jose] PBES2-HS256+A256KW or PBES2-HS512+A256KW?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2013 21:26:54 -0000

Currently JWA defines two password-based key encryption algorithms:

I was surprised that when the AES key size was increased from 128 to 256, the HMAC key size was not also increased from 256 to 512.  Sean, Matt had told me that this used to be the case in his individual draft, but that you had requested that HMAC SHA-256 be used for both algorithms.

If for no other reasons than symmetry, I'm curious why.  For instance, in McGrew's AES-CBC-HMAC-SHA2 draft, these pairings are made:
               128 bit AES with 256 bit HMAC
               192 bit AES with 384 bit HMAC
               256 bit AES with 512 bit HMAC
Sean, why aren't we doing the same for password-based encryption?

                                                            -- Mike