Re: [jose] Discussion Topic - Lets kill all non AEAD algorithms

["Manger, James H" <James.H.Manger@team.telstra.com>]

Jim Schaad said:
> The message title is deliberately provocative, but does indicate the
> path that I think we should follow for the document.  Specifically what
> what I would like to do is to remove the non AEAD algorithms and replace
> them with AEAD algorithms that are, more or less, equivalent.  This
> means that I would like define three new algorithms AES128-HS256,
> AES256-HS256 and AES512-HS512 that are AEAD algorithms.
> 
> Advantages:
> 
> 1.  The header is smaller as we can eliminate the "int:" field
> 2.  We make it clear that non-AEAD algorithms are not permitted and put
> it on the algorithm definer and not on the implementer to fix the
> problem if the proposed algorithm is not an AEAD algorithm.
> 3.  It makes the encryption document simpler as there is now only one
> encryption/decrypt set of steps to follow.
> 4.  The KDF moves from JWE to JWA where it more properly belongs
> 5.  The KDF now becomes an implicit parameter of the algorithm and it
> is easy to change it for an updated one later as necessary for specific
> algorithms.  As it currently stands there is no easy way to change this
> on an algorithm by algorithm basis.  This means that we can use SHA-256
> for the first two algorithms and SHA-512 for the last one - this means
> that we don't "lose bits" in the process of doing the KDF.
> 6.  The test matrix becomes smaller for implementers as there is a list
> rather than a matrix of possible functions to look at.


I agree with this approach.
Hardwiring the KDF to use SHA-256 is a showstopper in the current approach [JWE-02], particularly with SHA-3 on the horizon.


I guess "AES512-HS512" should actually be "AES256-HS512", or better still "A256CBC-HS512" to be a bit more consistent with other names.

--
James Manger