IETF Logo Mail Archive

Re: [jose] Use of AES-HMAC algorithm

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 28 March 2013 04:40 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9203A21F8ECB for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 21:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.551
X-Spam-Level:
X-Spam-Status: No, score=-0.551 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, J_CHICKENPOX_34=0.6, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPcYrCY0HUtR for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 21:40:44 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9BC21F8EBE for <jose@ietf.org>; Wed, 27 Mar 2013 21:40:43 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.84,924,1355058000"; d="scan'208";a="126784340"
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipocvi.tcif.telstra.com.au with ESMTP; 28 Mar 2013 15:40:41 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7027"; a="174642397"
Received: from wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) by ipcavi.tcif.telstra.com.au with ESMTP; 28 Mar 2013 15:40:41 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3756.srv.dir.telstra.com ([172.49.40.84]) with mapi; Thu, 28 Mar 2013 15:40:41 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 28 Mar 2013 15:40:40 +1100
Thread-Topic: [jose] Use of AES-HMAC algorithm
Thread-Index: Ac4rZN5zdL6mEQU9TmOxKo0eAxyiwQAACp/A
Message-ID: <255B9BB34FB7D647A506DC292726F6E1150C06E53B@WSMSG3153V.srv.dir.telstra.com>
References: <006801ce2b39$52595700$f70c0500$@augustcellars.com> <4E1F6AAD24975D4BA5B168042967394367590C2F@TK5EX14MBXC283.redmond.corp.microsoft.com> <1D2E2774-4A20-43AE-A2D6-30FF797DAAAF@gmail.com> <4E1F6AAD24975D4BA5B168042967394367590D06@TK5EX14MBXC283.redmond.corp.microsoft.com> <366657CD-2349-4AA8-B5BC-2A08A136ED08@gmail.com> <255B9BB34FB7D647A506DC292726F6E1150C06E272@WSMSG3153V.srv.dir.telstra.com> <68E0869F-C3D0-4154-8E01-725509B59835@gmail.com>
In-Reply-To: <68E0869F-C3D0-4154-8E01-725509B59835@gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Use of AES-HMAC algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 04:40:45 -0000

I haven’t been at any of the meeting either! It is hard to track.

Java added AEAD support in v7 (eg javax.crypto.cipher#updateAAD).
OpenSSL has added AEAD support.
I think OpenSSL AEAD support has filtered into Ruby.
Apparently it hasn't filtered into node.js yet.
Microsoft Crypto Next Generation (Cng) has added AEAD support.
Go supports AE-without-the-AD, as does NaCl.

So I think JOSE will live long enough for explicit AEAD support in crypto libraries to be the norm.

--
James Manger


> -----Original Message-----
> From: Dick Hardt [mailto:dick.hardt@gmail.com]
> Sent: Thursday, 28 March 2013 2:32 PM
> To: Manger, James H
> Cc: Mike Jones; Jim Schaad; jose@ietf.org
> Subject: Re: [jose] Use of AES-HMAC algorithm
> 
> Thanks for taking the time to explain James. Not being at the meetings
> makes it tough to track.
> 
> My summary of what you said is that there are two different ways that
> have been proposed to use AES-CBC and HMAC-SHA: the one currently in
> the spec, and "David's algorithm".
> 
> FWIW as an implementer: none of the crypto libraries I have looked at
> are going to do D, E, & F for me; so I am doing them in my library and
> having them as separate fields vs yet-another-concatenation-algorithm
> is preferred. I can see why that would not be desirable if the format
> is then inconsistent with AEAD. Having said that, I'm coding in
> node.js, and even though it uses opensll that has AEAD, none of the
> AEAD interfaces are exposed currently in node.js, and I don't see that
> changing anytime soon => not sure AEAD is going to be incorporated with
> JWT libraries.
> 
> -- Dick
> 
> On Mar 27, 2013, at 7:49 PM, "Manger, James H"
> <James.H.Manger@team.telstra.com> wrote:
> 
> > Dick,
> >
> > draft-mcgrew-aead-aes-cbc-hmac-sha2 "Authenticated Encryption with
> AES-CBC and HMAC-SHA" < http://tools.ietf.org/html/draft-mcgrew-aead-
> aes-cbc-hmac-sha2> is "David's algorithm".
> >
> >
> > Both draft-mcgrew-aead-aes-cbc-hmac-sha2 and "A128CBC+HS256" in JWA
> define a way to combine CBC and HMAC to get authenticated encryption.
> They make some different choices:
> >
> > A. Concatenate CBC & HMAC keys vs use a KDF to derive CBC & HMAC
> keys;
> >
> > B. 128+128 bit key sizes vs 128+256 bit keys size (for AES-128 &
> HMAC-256)
> >
> > C. Authentication tag half the hash size vs the full hash size
> >
> > D. Auth tag concatenated to ciphertext vs separate field
> >
> > E. IV concatenated with ciphertext vs separate field
> >
> > F. HMAC calculated over the raw ciphertext vs base64url-encoded
> ciphertext
> >
> > Mike is right that the crypto choices (A, B, C) will be more
> acceptable coming from the Crypto Forum Research Group (CRFG) group in
> a spec specifically describing CBC+HMAC (with security considerations
> and rationales for its choices, plus test vectors etc), compared to a
> JOSE-specific definition that is a small part of a JWA doc.
> >
> > D, E, & F are more to do with how the algorithms fit with crypto
> APIs. We will often have application code, JOSE library code, and
> crypto library code. The issues are which layers need to know which
> algorithm-specific details.
> >
> > Crypto libraries have historically offered CBC and HMAC interfaces.
> Now they are starting to offer AEAD interfaces. The CBC+HMAC algorithm
> we put in JOSE should be able to work well with AEAD interfaces. Draft-
> mgrew will work as it fits a model for AEAD algorithms defined in RFC
> 5116 "An Interface and Algorithms for Authenticated Encryption". The
> current JOSE-specific alg will NOT fit AEAD interfaces well --
> primarily because of difference F (that mixes app-layer base64url-
> encoding with a step that is internal to the AEAD algorithm).
> >
> > The authentication tag (difference D) is a subtler issue. A tag is a
> core component of a bunch of AEAD algorithms so some AEAD APIs have
> explicit support for a tag field. However it is really an internal
> detail: either the decryption hands back plaintext or it fails. A
> crypto library's implementation of an AEAD alg that has a tag needs to
> distinguish the tag from the rest of the ciphertext -- but does the
> app-layer need to distinguish the two? Not really.
> >
> >
> > I understand (and hope) the JOSE consensus is to go with draft-mcgrew
> on points A, B, C, and F.
> >
> > My opinion is that we should go with draft-mcgrew (and RFC5116) for D
> & E as well, but Mike (and others) disagree. It shouldn't affect the
> maths of the crypto, but it does affect APIs and the degree that the
> app layer can be (partially) relieved of the responsibility of dealing
> with some tough crypto issues (such as crypto-quality randomness,
> uniqueness of nonces etc).
> >
> > --
> > James Manger
> >

v2.23.0 | Report a Bug | By Email