Re: [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Michael Jones <michael_b_jones@hotmail.com> Mon, 12 November 2012 20:25 UTC
Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A782121F859D for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 12:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.277
X-Spam-Level:
X-Spam-Status: No, score=-2.277 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYgAtO5m33Gm for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 12:25:05 -0800 (PST)
Received: from bay0-omc1-s2.bay0.hotmail.com (bay0-omc1-s2.bay0.hotmail.com [65.54.190.13]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA6C21F8462 for <jose@ietf.org>; Mon, 12 Nov 2012 12:25:05 -0800 (PST)
Received: from BAY171-W133 ([65.54.190.60]) by bay0-omc1-s2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 12 Nov 2012 12:25:04 -0800
Message-ID: <BAY171-W133C34B6212813A7B59F439B76D0@phx.gbl>
Content-Type: multipart/alternative; boundary="_e8f7860d-ce2d-4929-9424-1c73cd8e9749_"
X-Originating-IP: [50.47.91.23]
From: Michael Jones <michael_b_jones@hotmail.com>
To: mcgrew@cisco.com, cfrg@irtf.org, jose@ietf.org
Date: Mon, 12 Nov 2012 12:25:04 -0800
Importance: Normal
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B0F50A96C@xmb-rcd-x04.cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B0F50A96C@xmb-rcd-x04.cisco.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 12 Nov 2012 20:25:04.0774 (UTC) FILETIME=[CCC6EA60:01CDC113]
Subject: Re: [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2012 20:25:06 -0000
OK, I admit that the way I phrased my request may not be exactly in line with the way the “AEAD” terminology is used. I can correct that. That’s syntax. I was using “AEAD” as a shorthand for the working group’s decision to use only authenticated encryption algorithms – not to mean the particular combined representation of those parameters apparently specified in the AEAD draft. I will correct the terminology usage in the next revision of the JOSE specifications. The semantic point remains that it’s cleaner and more flexible to have the Key, the Plaintext, IV, and “additional authenticated data” parameters all be separate inputs and the Ciphertext and “authentication tag” all be separate outputs. In JOSE’s particular use case, that would be a significantly better match and easier for implementers to use. JOSE already has a way of combining the inputs and outputs that’s inherent to its representation, and it doesn’t match the one you’ve specified. GCM, CTR, and the current JOSE-specified algorithms are a great fit for this, as they can directly use that representation. The AEAD pattern you cite requires disassembly of the components of the AEAD-specific representation to be able to use the combinations already present in the JOSE representations and then reassembly at decryption time. That’s just more work for implementers, and it’s not semantically necessary work. Are you open to specifying versions of your algorithms that don’t require a particular combination method for the parameters, but instead leave the combination up to the use case? I’m fine with you also specifying a specific combination method as an optional feature of the specification. But it shouldn’t be part of the algorithm definition, just like it isn’t for GCM. Best wishes, -- Mike From: David McGrew (mcgrew) [mailto:mcgrew@cisco.com] Sent: Monday, November 12, 2012 11:43 AM To: Mike Jones; cfrg@irtf.org; jose@ietf.org Subject: Re: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01 Hi Mike, From: Mike Jones <Michael.Jones@microsoft.com> Date: Monday, November 12, 2012 1:55 PM To: Cisco Employee <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org> Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01 As background, if there was a version of this spec that did not assume that the parameters would be concatenated together in a specific way, but left them as independent inputs and outputs, as AES GCM and AES CTR do, it would be a better match for JOSE’s use case. I believe that what you are referring to is the inclusion of the authentication tag in the authenticated ciphertext. This is not just a property of draft-mcgrew-aead-aes-cbc-hmac-sha2; it is a feature of all 19 of the AEAD algorithms that have been defined so far. For comparison, draft-mcgrew-aead-aes-cbc-hmac-sha2 says The AEAD Ciphertext consists of the string S, with the string T appended to it. This Ciphertext is returned as the output of the AEAD encryption operation. Where S is the ciphertext and T is the authentication tag. RFC 5116 says "The AEAD_AES_128_GCM ciphertext is formed by appending the authentication tag provided as an output to the GCM encryption operation to the ciphertext that is output by that operation." David -- Mike From: mcgrew@cisco.com To: cfrg@irtf.org; jose@ietf.org Date: Mon, 12 Nov 2012 18:20:57 +0000 CC: Kenny.Paterson@rhul.ac.uk Subject: [jose] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01 Hi, There is a new version of "Authenticated Encryption with AES-CBC and HMAC-SHA", and I would appreciate your review. It is online at <https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/?include_text=1> The diff between the current and the previous version is available at <http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-01> This draft has been proposed for use in the JOSE WG <http://datatracker.ietf.org/wg/jose/> , where its adoption would allow the working group to omit "raw" unauthenticated encryption, e.g. AES-CBC, and only include authenticated encryption. Thus I am asking for your help in making John Foley generated test cases that correspond to the current version of the draft, but I didn't include these in the draft because I did not yet get confirmation from a second independent implementation. With hope, there will not be any need for any normative changes, and I will include these after I get confirmation. Thanks, David _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] Authenticated Encryption with AES-CBC and … David McGrew (mcgrew)
- Re: [jose] Authenticated Encryption with AES-CBC … Michael Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] Authenticated Encryption with AES-CBC … Michael Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] Authenticated Encryption with AES-CBC … David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] [Cfrg] Authenticated Encryption with A… Dan Harkins
- Re: [jose] [Cfrg] Authenticated Encryption with A… Manger, James H
- Re: [jose] [Cfrg] Authenticated Encryption with A… David McGrew (mcgrew)
- Re: [jose] [Cfrg] Authenticated Encryption with A… Mike Jones
- Re: [jose] [Cfrg] Authenticated Encryption with A… Russ Housley
- Re: [jose] [Cfrg] Authenticated Encryption with A… Mike Jones