IETF Logo Mail Archive

Re: [jose] Theroetical use of SIV AEAD mode in JOSE

Russ Housley <housley@vigilsec.com> Thu, 25 April 2013 22:26 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38ED121F96F8 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:26:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.999
X-Spam-Level:
X-Spam-Status: No, score=-99.999 tagged_above=-999 required=5 tests=[AWL=-0.000, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oavL5RZgOcBh for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:26:14 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD9421F96F0 for <jose@ietf.org>; Thu, 25 Apr 2013 15:26:14 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 85447F2407E; Thu, 25 Apr 2013 18:26:16 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 49EWC2amjT-s; Thu, 25 Apr 2013 18:26:05 -0400 (EDT)
Received: from v150.vpn.iad.rg.net (v150.vpn.iad.rg.net [198.180.150.150]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 6ACAFF24072; Thu, 25 Apr 2013 18:26:15 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: multipart/alternative; boundary="Apple-Mail-12--72969397"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <01d501ce41f8$6288cb30$279a6190$@augustcellars.com>
Date: Thu, 25 Apr 2013 18:26:10 -0400
Message-Id: <D3235C00-5B1A-4FCF-8492-F50D61526990@vigilsec.com>
References: <01d501ce41f8$6288cb30$279a6190$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.1085)
Cc: jose@ietf.org
Subject: Re: [jose] Theroetical use of SIV AEAD mode in JOSE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 22:26:15 -0000

Jim:

I think that the advocates for SIV need to show how to apply it to multiple recipients and produce the same ciphertext.  Otherwise, it is equivalent to a separate message per recipient.  This is worse that the S/MIME solution for BCC recipients.

Russ


On Apr 25, 2013, at 5:03 PM, Jim Schaad wrote:

> First, I am not advocating that we should add SIV mode as a standard encryption algorithm to the JOSE specifications.  However SIV mode has some interesting properties and has been publicly declared as being IP free so I want to make sure that we do not preclude the use of SIV mode if somebody else wants to play with it.
>  
> A quick primer on how SIV mode works:
>  
> 1.        Compute the IV to be used for the message.  IV = F(Authenticated Data, Plain Text, Encryption Key)
> 2.       Encrypt the Plain Text     CipherText = AES-CTR(Plain Text, IV, Encryption Key)  
> Note that I have not looked it up and it has been a while, but I am pretty sure that it does use CTR mode.
> 3.       Compute the authentication Tag    AT = IV
>  
>  
> There are no problems with doing the encoding in that one can present the IV as both the IV and the AT in the encoding so it is not as if one of these fields becomes implicit.  However it does mean that the current encoding format for multiple recipients is completely un-usable.  One could use the format but it would need to be in a single recipient mode only.  This is because the IV and the encrypted text would, of necessity, be unique for each recipient.
>  
> Jim
>

v2.23.0 | Report a Bug | By Email