Re: [jose] Theroetical use of SIV AEAD mode in JOSE

"Jim Schaad" <ietf@augustcellars.com> Thu, 25 April 2013 22:52 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F3CD21F9729 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:52:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N7tpqVvCU8g9 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:52:46 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id DB3B921F970F for <jose@ietf.org>; Thu, 25 Apr 2013 15:52:46 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 637382CA64; Thu, 25 Apr 2013 15:52:46 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Russ Housley' <housley@vigilsec.com>
References: <01d501ce41f8$6288cb30$279a6190$@augustcellars.com> <D3235C00-5B1A-4FCF-8492-F50D61526990@vigilsec.com>
In-Reply-To: <D3235C00-5B1A-4FCF-8492-F50D61526990@vigilsec.com>
Date: Thu, 25 Apr 2013 15:52:03 -0700
Message-ID: <022801ce4207$81579cd0$8406d670$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0229_01CE41CC.D4FB35D0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFSF/1VPh9FLwNXZ9yx8wmrHsESAQIAxGPAmc/YYxA=
Content-Language: en-us
Cc: jose@ietf.org
Subject: Re: [jose] Theroetical use of SIV AEAD mode in JOSE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 22:52:48 -0000

Russ,

 

I don't understand this comment.  SIV can be used in CMS today without this
problem.  Since the encryption key would be common to all of the recipients
in CMS Authenticated Enveloped Data there are no problems with using it.
Thus it would be equivalent to the S/MIME BCC recipients solution.

 

This would only be an issue for CMS if all of the key management data were
included in the authentication process which it is not.

 

Jim

 

 

From: Russ Housley [mailto:housley@vigilsec.com] 
Sent: Thursday, April 25, 2013 3:26 PM
To: Jim Schaad
Cc: jose@ietf.org
Subject: Re: [jose] Theroetical use of SIV AEAD mode in JOSE

 

Jim:

 

I think that the advocates for SIV need to show how to apply it to multiple
recipients and produce the same ciphertext.  Otherwise, it is equivalent to
a separate message per recipient.  This is worse that the S/MIME solution
for BCC recipients.

 

Russ

 

 

On Apr 25, 2013, at 5:03 PM, Jim Schaad wrote:





First, I am not advocating that we should add SIV mode as a standard
encryption algorithm to the JOSE specifications.  However SIV mode has some
interesting properties and has been publicly declared as being IP free so I
want to make sure that we do not preclude the use of SIV mode if somebody
else wants to play with it.

 

A quick primer on how SIV mode works:

 

1.        Compute the IV to be used for the message.  IV = F(Authenticated
Data, Plain Text, Encryption Key)

2.       Encrypt the Plain Text     CipherText = AES-CTR(Plain Text, IV,
Encryption Key)  
Note that I have not looked it up and it has been a while, but I am pretty
sure that it does use CTR mode.

3.       Compute the authentication Tag    AT = IV

 

 

There are no problems with doing the encoding in that one can present the IV
as both the IV and the AT in the encoding so it is not as if one of these
fields becomes implicit.  However it does mean that the current encoding
format for multiple recipients is completely un-usable.  One could use the
format but it would need to be in a single recipient mode only.  This is
because the IV and the encrypted text would, of necessity, be unique for
each recipient.

 

Jim