Re: [jose] Use of AES-HMAC algorithm
"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 28 March 2013 04:40 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9203A21F8ECB for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 21:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.551
X-Spam-Level:
X-Spam-Status: No, score=-0.551 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, J_CHICKENPOX_34=0.6, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPcYrCY0HUtR for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 21:40:44 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9BC21F8EBE for <jose@ietf.org>; Wed, 27 Mar 2013 21:40:43 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.84,924,1355058000"; d="scan'208";a="126784340"
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipocvi.tcif.telstra.com.au with ESMTP; 28 Mar 2013 15:40:41 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7027"; a="174642397"
Received: from wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) by ipcavi.tcif.telstra.com.au with ESMTP; 28 Mar 2013 15:40:41 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) with mapi; Thu, 28 Mar 2013 15:40:41 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 28 Mar 2013 15:40:40 +1100
Thread-Topic: [jose] Use of AES-HMAC algorithm
Thread-Index: Ac4rZN5zdL6mEQU9TmOxKo0eAxyiwQAACp/A
Message-ID: <255B9BB34FB7D647A506DC292726F6E1150C06E53B@WSMSG3153V.srv.dir.telstra.com>
References: <006801ce2b39$52595700$f70c0500$@augustcellars.com> <4E1F6AAD24975D4BA5B168042967394367590C2F@TK5EX14MBXC283.redmond.corp.microsoft.com> <1D2E2774-4A20-43AE-A2D6-30FF797DAAAF@gmail.com> <4E1F6AAD24975D4BA5B168042967394367590D06@TK5EX14MBXC283.redmond.corp.microsoft.com> <366657CD-2349-4AA8-B5BC-2A08A136ED08@gmail.com> <255B9BB34FB7D647A506DC292726F6E1150C06E272@WSMSG3153V.srv.dir.telstra.com> <68E0869F-C3D0-4154-8E01-725509B59835@gmail.com>
In-Reply-To: <68E0869F-C3D0-4154-8E01-725509B59835@gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Use of AES-HMAC algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 04:40:45 -0000
I haven’t been at any of the meeting either! It is hard to track. Java added AEAD support in v7 (eg javax.crypto.cipher#updateAAD). OpenSSL has added AEAD support. I think OpenSSL AEAD support has filtered into Ruby. Apparently it hasn't filtered into node.js yet. Microsoft Crypto Next Generation (Cng) has added AEAD support. Go supports AE-without-the-AD, as does NaCl. So I think JOSE will live long enough for explicit AEAD support in crypto libraries to be the norm. -- James Manger > -----Original Message----- > From: Dick Hardt [mailto:dick.hardt@gmail.com] > Sent: Thursday, 28 March 2013 2:32 PM > To: Manger, James H > Cc: Mike Jones; Jim Schaad; jose@ietf.org > Subject: Re: [jose] Use of AES-HMAC algorithm > > Thanks for taking the time to explain James. Not being at the meetings > makes it tough to track. > > My summary of what you said is that there are two different ways that > have been proposed to use AES-CBC and HMAC-SHA: the one currently in > the spec, and "David's algorithm". > > FWIW as an implementer: none of the crypto libraries I have looked at > are going to do D, E, & F for me; so I am doing them in my library and > having them as separate fields vs yet-another-concatenation-algorithm > is preferred. I can see why that would not be desirable if the format > is then inconsistent with AEAD. Having said that, I'm coding in > node.js, and even though it uses opensll that has AEAD, none of the > AEAD interfaces are exposed currently in node.js, and I don't see that > changing anytime soon => not sure AEAD is going to be incorporated with > JWT libraries. > > -- Dick > > On Mar 27, 2013, at 7:49 PM, "Manger, James H" > <James.H.Manger@team.telstra.com> wrote: > > > Dick, > > > > draft-mcgrew-aead-aes-cbc-hmac-sha2 "Authenticated Encryption with > AES-CBC and HMAC-SHA" < http://tools.ietf.org/html/draft-mcgrew-aead- > aes-cbc-hmac-sha2> is "David's algorithm". > > > > > > Both draft-mcgrew-aead-aes-cbc-hmac-sha2 and "A128CBC+HS256" in JWA > define a way to combine CBC and HMAC to get authenticated encryption. > They make some different choices: > > > > A. Concatenate CBC & HMAC keys vs use a KDF to derive CBC & HMAC > keys; > > > > B. 128+128 bit key sizes vs 128+256 bit keys size (for AES-128 & > HMAC-256) > > > > C. Authentication tag half the hash size vs the full hash size > > > > D. Auth tag concatenated to ciphertext vs separate field > > > > E. IV concatenated with ciphertext vs separate field > > > > F. HMAC calculated over the raw ciphertext vs base64url-encoded > ciphertext > > > > Mike is right that the crypto choices (A, B, C) will be more > acceptable coming from the Crypto Forum Research Group (CRFG) group in > a spec specifically describing CBC+HMAC (with security considerations > and rationales for its choices, plus test vectors etc), compared to a > JOSE-specific definition that is a small part of a JWA doc. > > > > D, E, & F are more to do with how the algorithms fit with crypto > APIs. We will often have application code, JOSE library code, and > crypto library code. The issues are which layers need to know which > algorithm-specific details. > > > > Crypto libraries have historically offered CBC and HMAC interfaces. > Now they are starting to offer AEAD interfaces. The CBC+HMAC algorithm > we put in JOSE should be able to work well with AEAD interfaces. Draft- > mgrew will work as it fits a model for AEAD algorithms defined in RFC > 5116 "An Interface and Algorithms for Authenticated Encryption". The > current JOSE-specific alg will NOT fit AEAD interfaces well -- > primarily because of difference F (that mixes app-layer base64url- > encoding with a step that is internal to the AEAD algorithm). > > > > The authentication tag (difference D) is a subtler issue. A tag is a > core component of a bunch of AEAD algorithms so some AEAD APIs have > explicit support for a tag field. However it is really an internal > detail: either the decryption hands back plaintext or it fails. A > crypto library's implementation of an AEAD alg that has a tag needs to > distinguish the tag from the rest of the ciphertext -- but does the > app-layer need to distinguish the two? Not really. > > > > > > I understand (and hope) the JOSE consensus is to go with draft-mcgrew > on points A, B, C, and F. > > > > My opinion is that we should go with draft-mcgrew (and RFC5116) for D > & E as well, but Mike (and others) disagree. It shouldn't affect the > maths of the crypto, but it does affect APIs and the degree that the > app layer can be (partially) relieved of the responsibility of dealing > with some tough crypto issues (such as crypto-quality randomness, > uniqueness of nonces etc). > > > > -- > > James Manger > >
- [jose] Use of AES-HMAC algorithm Jim Schaad
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Use of AES-HMAC algorithm Jim Schaad