Re: [jose] Use of AES-HMAC algorithm
Dick Hardt <dick.hardt@gmail.com> Thu, 28 March 2013 01:06 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9870E21F936A for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 18:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.367
X-Spam-Level:
X-Spam-Status: No, score=-3.367 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C2MPWw3erTL0 for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 18:06:09 -0700 (PDT)
Received: from mail-pb0-f46.google.com (mail-pb0-f46.google.com [209.85.160.46]) by ietfa.amsl.com (Postfix) with ESMTP id 23BAD21F9369 for <jose@ietf.org>; Wed, 27 Mar 2013 18:05:59 -0700 (PDT)
Received: by mail-pb0-f46.google.com with SMTP id uo1so1674820pbc.33 for <jose@ietf.org>; Wed, 27 Mar 2013 18:05:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=gi2SfHQiKsx0GGrqr/wEQGqbtD/bBx4JoL0Yk1y4+lo=; b=rWkllaL/Ct0N81vDK+3BmrDf00CVa2V1oeU0P5J8gXNr33iPfczMOTfvPEVGnW/IEf lnL4D5m54nC4qmT/LMQhAefHWe1S5jtf7RGr6L/iQMck88NO2OQvFrEGFUyRjVaMqAj/ vRxgUCuKZPOmESOj6toxcI5XjcfzKrT1z2S4y1jgeAVNsh4X793uaf5xT8mTuRWUCAc+ eEZcn/trv4JJqIK66BdP/84+CRzL3z1SQHe67elP6cOucSaNLwLw4+cb+l+j7TBSK8ay AUI8LXx7wlMw9mkOoTT0BEuefdDsaHjCKNyWCmGlz9vJYD+WZyN4og/kfwcVgR3irtsT P4Mw==
X-Received: by 10.68.243.66 with SMTP id ww2mr32304317pbc.109.1364432758931; Wed, 27 Mar 2013 18:05:58 -0700 (PDT)
Received: from [10.0.0.89] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id kt5sm23297776pbc.30.2013.03.27.18.05.56 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 27 Mar 2013 18:05:57 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367590D06@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Wed, 27 Mar 2013 18:05:54 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <366657CD-2349-4AA8-B5BC-2A08A136ED08@gmail.com>
References: <006801ce2b39$52595700$f70c0500$@augustcellars.com> <4E1F6AAD24975D4BA5B168042967394367590C2F@TK5EX14MBXC283.redmond.corp.microsoft.com> <1D2E2774-4A20-43AE-A2D6-30FF797DAAAF@gmail.com> <4E1F6AAD24975D4BA5B168042967394367590D06@TK5EX14MBXC283.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1503)
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] Use of AES-HMAC algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 01:06:09 -0000
On Mar 27, 2013, at 5:39 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > I think the reason the working group is thinking about this algorithm is a combination of three things: > > 1. Using the KDF could lead to interoperability problems. Some early implementations have gotten this wrong. Were these improper implementations, or different interpretations? The first is a bug in the software, the second is a bug in the spec. > > 2. Apparently we're not using the Concat KDF for an approved use, as "approved" is defined by the NIST specs. If we stop using it, this criticism would go away. Not relevant for me, but I understand the motivation. > > 3. Some have pushed back on us "inventing a new cryptographic algorithm". While I believe that the composition of two establish algorithms - AES-CBC and HMAC SHA-2 is easily defensible, with David McGrew being the co-chair of the Crypto Forum Research Group (CFRG) - the group that IETF people go to when wanting to validate the use of crypto algorithms - if his algorithm is approved, using it would likely be considered to be above reproach, in terms of getting JWE through the IETF approval processes. What is David's algorithm? > > So it's really "spec approval" reasons - not security reasons that the change is being considered. A smaller key is better than a larger key, but it is not that much larger. > > -- Mike > > P.S. For what it's worth, you could distinguish the two algorithms by the key sizes if you wanted to run both algorithms side-by-side for a while. Thanks for the suggestion. I can still change the implementation for the next couple weeks without impacting a third party. Would be useful to know where this will land so I can change or not. P.S. thanks for the explanation Mike! -- Dick
- [jose] Use of AES-HMAC algorithm Jim Schaad
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Use of AES-HMAC algorithm Jim Schaad