[jose] Choice for WG: Use a KDF with AES CBC or use a longer key

"David McGrew (mcgrew)" <mcgrew@cisco.com> Mon, 12 November 2012 16:44 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A4FD821F86D0 for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 08:44:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id jZEwrVhD3jJB for <jose@ietfa.amsl.com>; Mon, 12 Nov 2012 08:44:41 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id B4F0A21F86DC for <jose@ietf.org>; Mon, 12 Nov 2012 08:43:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10789; q=dns/txt; s=iport; t=1352738607; x=1353948207; h=from:to:cc:subject:date:message-id:mime-version; bh=XzeLjQt1rOcPN6T03lPvTprHl2FAY281Z7UuIveotfo=; b=LwML1aD45ZauJ3TL18qcTmBHCqJFyrA5NhwnwPMK9fa9MvkJfTZ5wc0F abKPbhmkmcgGBFkHdgmiHZLWOIT/fZWfLqYoJYCA7MN2ukc/9LuQfj43s uG5kxSKmjoZGleMo9I0ZZkjTNxtSneWykby9NL6auMJ9IBAlNJ9xXCIyy w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AioJAIImoVCtJV2a/2dsb2JhbABEgkmuaZAqgX2BAQeCHgEBAQMBEgFmBQ0BGQMBAgtWHQoEDg0TB4dWAwkGC5oOlggDGolEjBWFaWEDlxiNPIFrgm+CGQ
X-IronPort-AV: E=McAfee;i="5400,1158,6893"; a="141342082"
Received: from rcdn-core-3.cisco.com ([]) by rcdn-iport-5.cisco.com with ESMTP; 12 Nov 2012 16:43:23 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com []) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id qACGhNgq002323 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 12 Nov 2012 16:43:23 GMT
Received: from xmb-rcd-x04.cisco.com ([]) by xhc-rcd-x07.cisco.com ([]) with mapi id 14.02.0318.001; Mon, 12 Nov 2012 10:43:22 -0600
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: "michael_b_jones@hotmail.com" <michael_b_jones@hotmail.com>
Thread-Topic: [jose] Choice for WG: Use a KDF with AES CBC or use a longer key
Thread-Index: AQHNwPTTk66PENi2xEKklkO+owUlFw==
Date: Mon, 12 Nov 2012 16:43:21 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B0F50A90C@xmb-rcd-x04.cisco.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
x-tm-as-product-ver: SMEX-
x-tm-as-result: No--40.455300-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_747787E65E3FBD4E93F0EB2F14DB556B0F50A90Cxmbrcdx04ciscoc_"
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 12 Nov 2012 09:55:56 -0800
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: [jose] Choice for WG: Use a KDF with AES CBC or use a longer key
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2012 16:44:47 -0000

Hi Mike,

Please see <DAM> inline.

From: Michael Jones <michael_b_jones at hotmail.com>
To: <james.h.manger at team.telstra.com>, <jose at ietf.org>
Date: Sun, 11 Nov 2012 17:30:54 -0800
In-reply-to: <255B9BB34FB7D647A506DC292726F6E11500331CA9 at WSMSG3153V.srv.dir.telstra.com>
References: <BAY171-W32DD53461B3DF4235F053DB7680 at phx.gbl>, <255B9BB34FB7D647A506DC292726F6E11500331CA9 at WSMSG3153V.srv.dir.telstra.com>
List-id: Javascript Object Signing and Encryption <jose.ietf.org>

Using draft-mcgrew-aead-aes-cbc-hmac-sha2 is not the same thing as (1). For instance, as was discussed after David's presentation at IETF 84, draft-mcgrew-aead-aes-cbc-hmac-sha2 does not follow the pattern of AEAD algorithms such as AES GCM, which have two inputs (plaintext, "additional authenticated data"), and two outputs (ciphertext, "authentication tag"). Instead, it adds a step combining the ciphertext and "authentication tag" outputs.

draft-mcgrew-aead-aes-cbc-hmac-sha2 does use exactly the same interface as AES-GCM, RFC 5116, and the other AEAD algorithms that make use of that interface.
To make this more clear, I can make the following addition.  Section 2.1 starts out as "We briefly recall the encryption interface defined in Section 2 of  [RFC5116]."   I will add "which is used by all of the algorithms defined in this note".

If you read the draft, implementation of draft-mcgrew-aead-aes-cbc-hmac-sha2 has a lot more steps than what we have for A128CBC+HS256 and A256CBC+HS512. It requires generating and adding specific padding bytes. It prefixes the ciphertext with the IV. It includes the length of the "additional authenticated data" in the MAC calculation. It combines the two outputs into one. For decryption, likewise, the two outputs must be split apart, the IV must be split apart, etc.

All of these are steps that implementations could get wrong, resulting in interoperability problems. By keeping all the parameters separate, our current A128CBC+HS256 and A256CBC+HS512 algorithms eliminate those steps.

draft-mcgrew-aead-aes-cbc-hmac-sha2 has all of the required steps for authenticated encryption, and does not have any extraneous steps.   Things like plaintext padding need to be specified, and it is critical to have the length of the associated data included in the MAC input (see Section 6, third paragraph, of draft-mcgrew).

The fact that implementations might get these details wrong is why they belong in the crypto algorithm, and not in the JOSE implementation.    Consider, for instance, that with the AEAD approach these details would get test coverage from the AEAD test cases; otherwise, there are details that would go untested.


I'm sorry for the apparent confusion between (1) and draft-mcgrew-aead-aes-cbc-hmac-sha2. While they both explicitly represent the CMK and CEK, and use the same underlying crypto operations, the details differ in ways that are likely to matter to implementers.

When JOSE met at IETF84, the consensus of the room was to use AEAD and draft-mcgrew-aead-aes-cbc-hmac-sha2, and omit unauthenticated encryption.   That's what JOSE should do, as it is the technically best solution.   I will ask Kevin Igoe to move draft-mcgrew forward to RFC.


 If there was a version of draft-mcgrew-aead-aes-cbc-hmac-sha2 that kept all the inputs and outputs separate, I agree that it would be a reasonable candidate for JOSE to consider. But unlike AES GCM, that's not what it does.

draft-mcgrew-aead-aes-cbc-hmac-sha2 uses the same interface as does AEAD_AES_128_GCM; see Section 5.1 of RFC 5116.


-- Mike

> From: James.H.Manger at team.telstra.com
> To: michael_b_jones at hotmail.com; jose at ietf.org
> Date: Mon, 12 Nov 2012 09:23:37 +1100
> Subject: RE: [jose] Choice for WG: Use a KDF with AES CBC or use a longer key
> > So I’d like to explicitly ask the working group. Do you want us to:
> >
> > (1) Use the concatenation of random CEK and CIK values as the CMK for AES CBC, resulting in a longer CMK?
> > (2) Continue to use a KDF to generate the CEK and CIK from a shorter CMK?
> 1. Use draft-mcgrew-aead-aes-cbc-hmac-sha2
> --
> James Manger