[jose] Use of AES-HMAC algorithm
"Jim Schaad" <ietf@augustcellars.com> Wed, 27 March 2013 22:21 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F64521F8F68 for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 15:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FefZHt8TE08g for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 15:21:27 -0700 (PDT)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id 116DB21F86DC for <jose@ietf.org>; Wed, 27 Mar 2013 15:21:27 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id C1EE238F06 for <jose@ietf.org>; Wed, 27 Mar 2013 15:21:18 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: jose@ietf.org
Date: Wed, 27 Mar 2013 15:20:42 -0700
Message-ID: <006801ce2b39$52595700$f70c0500$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac4nS9Dlxfl1UeEXRp6aXJeHoQZF0Q==
Content-Language: en-us
Subject: [jose] Use of AES-HMAC algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2013 22:21:28 -0000
<chair> After spending time looking at and thinking about how to resolve this issue since I was unable to do so at the last F2F meeting. I have come up with the following set of issues that might need to be addressed as part of resolving this issue. 1. Do we change from using KDC to having a double size key for the algorithm? I think that there is probably a consensus that this should be done. 2. Should IVs be prepended to the encrypted body as part of the encoding steps? If so then this change should be universal. Doing so would eliminate one field from all of the encoding formats which should be considered a plus. Doing so would force code writers to understand how large the IV is for all algorithms as the IV would no longer be a separate item. 3. Should Authentication Tags be appended to the encrypted body as part of the encoding steps? Doing so would eliminate one field from all of the encoding formats which should be considered a plus. Doing so would force code writers to understand how large the IV is for all algorithms as the IV would no longer be a separate item. Doing so would force a re-organization for the multiple recipient case as either all recipient specific data would need to be excluded from the authentication step or all of the recipient data would need to be included for by all recipients. Changing how the recipient info is process is going to give a performance benefit for sending encrypted items for multiple recipients. The current strategy of a single IV and key pair with AES-GCM and different authentication data needs to have CFRG look at it. I am worried that it might be a serious security flaw. 4. Should we reference the McGrew draft and provide text on how things are changed or should we "copy" the draft into our text? 5. If we allow for the use of AES-GCM or AES-HMAC for doing key wrapping, does this change how we think about any of the above questions? Allowing for AES-GCM for key wrapping has a benefit for hardware situations as only the encrypt and not the decrypt functions need to be placed in hardware. However allowing for this key wrapping give a problem as there is no way to encode the three fields into the encrypted value unless with use either a JSON structure in this location or we do use the single appended binary output stream. The first approach leads to an expansion of the field by double base64 encoding which is highly undesirable. Jim
- [jose] Use of AES-HMAC algorithm Jim Schaad
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Use of AES-HMAC algorithm Jim Schaad