IETF Logo Mail Archive

Re: [jose] Use of AES-HMAC algorithm - Consensus Request

Mike Jones <Michael.Jones@microsoft.com> Fri, 05 April 2013 00:14 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5656221F90F1 for <jose@ietfa.amsl.com>; Thu, 4 Apr 2013 17:14:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.492
X-Spam-Level:
X-Spam-Status: No, score=-2.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fr5eiOXJStwA for <jose@ietfa.amsl.com>; Thu, 4 Apr 2013 17:13:59 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) by ietfa.amsl.com (Postfix) with ESMTP id 597F421F93C7 for <jose@ietf.org>; Thu, 4 Apr 2013 17:13:59 -0700 (PDT)
Received: from BY2FFO11FD002.protection.gbl (10.1.15.202) by BY2FFO11HUB014.protection.gbl (10.1.14.86) with Microsoft SMTP Server (TLS) id 15.0.664.0; Fri, 5 Apr 2013 00:13:46 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD002.mail.protection.outlook.com (10.1.14.124) with Microsoft SMTP Server (TLS) id 15.0.664.0 via Frontend Transport; Fri, 5 Apr 2013 00:13:45 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0318.003; Fri, 5 Apr 2013 00:13:34 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] Use of AES-HMAC algorithm - Consensus Request
Thread-Index: Ac4xjwlItr+CaRraTdmKwkwJbuMokQAAzTPg
Date: Fri, 05 Apr 2013 00:13:33 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943675B5BDC@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <017a01ce318f$482d8470$d8888d50$@augustcellars.com>
In-Reply-To: <017a01ce318f$482d8470$d8888d50$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(35754002)(377454001)(51444002)(51704002)(47446002)(50466001)(20776003)(80022001)(47976001)(47776003)(47736001)(79102001)(56776001)(59766001)(46102001)(63696002)(31966008)(49866001)(4396001)(51856001)(74662001)(54316002)(77982001)(74502001)(66066001)(81342001)(23726001)(54356001)(44976002)(55846006)(76482001)(33656001)(46406002)(15202345001)(53806001)(69226001)(5343655001)(56816002)(81542001)(50986001)(65816001)(16406001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB014; H:TK5EX14MLTC104.redmond.corp.microsoft.com; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 08076ABC99
Subject: Re: [jose] Use of AES-HMAC algorithm - Consensus Request
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 00:14:00 -0000

I'm in favor of the change.  I believe that this equivalent to issue http://trac.tools.ietf.org/wg/jose/trac/ticket/3 - correct?

				-- Mike

-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
Sent: Thursday, April 04, 2013 4:51 PM
To: jose@ietf.org
Subject: Re: [jose] Use of AES-HMAC algorithm - Consensus Request

<chair> 

At the request of the editors, this is a formal consensus call on the first item in the list below.  If there are objects to use a single long key rather than a KDF function for the AES-CBC/HMAC algorithm please speak up now.  To date nobody has said that I was wrong to assume the consensus on that item.

Call ends in one week.

Jim


> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf 
> Of
Jim
> Schaad
> Sent: Wednesday, March 27, 2013 3:21 PM
> To: jose@ietf.org
> Subject: [jose] Use of AES-HMAC algorithm
> 
> <chair>
> After spending time looking at and thinking about how to resolve this
issue
> since I was unable to do so at the last F2F meeting.  I have come up 
> with
the
> following set of issues that might need to be addressed as part of
resolving
> this issue.
> 
> 1.  Do we change from using KDC to having a double size key for the 
> algorithm?  I think that there is probably a consensus that this 
> should be
done.
> 
> 2. Should IVs be prepended to the encrypted body as part of the 
> encoding steps?  If so then this change should be universal.
> 
> Doing so would eliminate one field from all of the encoding formats 
> which should be considered a plus.
> Doing so would force code writers to understand how large the IV is 
> for
all
> algorithms as the IV would no longer be a separate item.
> 
> 3. Should Authentication Tags be appended to the encrypted body as 
> part of the encoding steps?
> 
> Doing so would eliminate one field from all of the encoding formats 
> which should be considered a plus.
> Doing so would force code writers to understand how large the IV is 
> for
all
> algorithms as the IV would no longer be a separate item.
> Doing so would force a re-organization for the multiple recipient case 
> as either all recipient specific data would need to be excluded from 
> the authentication step or all of the recipient data would need to be 
> included
for
> by all recipients.
> Changing how the recipient info is process is going to give a 
> performance benefit for sending encrypted items for multiple recipients.
> The current strategy of a single IV and key pair with AES-GCM and
different
> authentication data needs to have CFRG look at it.  I am worried that 
> it
might
> be a serious security flaw.
> 
> 4. Should we reference the McGrew draft and provide text on how things 
> are changed or should we "copy" the draft into our text?
> 
> 5.  If we allow for the use of AES-GCM or AES-HMAC for doing key 
> wrapping, does this change how we think about any of the above questions?
> 
> Allowing for AES-GCM for key wrapping has a benefit for hardware
situations
> as only the encrypt and not the decrypt functions need to be placed in 
> hardware.  However allowing for this key wrapping give a problem as 
> there
is
> no way to encode the three fields into the encrypted value unless with 
> use either a JSON structure in this location or we do use the single 
> appended binary output stream.  The first approach leads to an 
> expansion of the
field by
> double base64 encoding which is highly undesirable.
> 
> Jim
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email