[jose] AEAD-only
"Manger, James H" <James.H.Manger@team.telstra.com> Wed, 17 October 2012 05:32 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CEAC21F87A8 for <jose@ietfa.amsl.com>; Tue, 16 Oct 2012 22:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.871
X-Spam-Level:
X-Spam-Status: No, score=-0.871 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9unBKn28hxj for <jose@ietfa.amsl.com>; Tue, 16 Oct 2012 22:32:44 -0700 (PDT)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by ietfa.amsl.com (Postfix) with ESMTP id C557121F877C for <jose@ietf.org>; Tue, 16 Oct 2012 22:32:42 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.80,598,1344175200"; d="scan'208";a="98533648"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipoavi.tcif.telstra.com.au with ESMTP; 17 Oct 2012 16:32:40 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6867"; a="94368374"
Received: from wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) by ipccvi.tcif.telstra.com.au with ESMTP; 17 Oct 2012 16:32:39 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3757.srv.dir.telstra.com ([172.49.40.85]) with mapi; Wed, 17 Oct 2012 16:32:39 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Date: Wed, 17 Oct 2012 16:32:38 +1100
Thread-Topic: [jose] AEAD-only
Thread-Index: Ac2ra69SDtelvfepRBCO1gAjjbxxsQAs/NCA
Message-ID: <255B9BB34FB7D647A506DC292726F6E114FDDCC27D@WSMSG3153V.srv.dir.telstra.com>
References: <4E1F6AAD24975D4BA5B168042967394366853BB5@TK5EX14MBXC284.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394366853BB5@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: [jose] AEAD-only
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2012 05:32:44 -0000
It is great to see "A128CBC+HS256" as a name for an AEAD algorithm (instead of 3 names for enc/int/kdf components). The rest of the JWE spec needs further edits to properly reflect the AEAD-only model — as does the JWA spec. 1. Drop section 3.2. "Example JWE with a Separate Integrity Check"; rename section 3.1 to be "Example". The difference between an "integrated" AEAD algorithm (eg A256GCM) and a "constructed" AEAD algorithm (eg A128CBC+HS256) shouldn't be visible at this level (ie in this spec). 2. Section 5 "Message Encryption" step 1: the size of the CMK is determined by the AEAD algorithm (enc parameter value), not the size required for the block encryption algorithm. 3. Section 5 "Message Encryption". There is no mention of what the Additional Data is for the AEAD algorithm. Add a step 11b that defines what the Additional Data is. Adjust step 12 to say the (compressed) plaintext and Additional Data are passed to the AEAD algorithm. 4. Section 6 "Message Decryption". As above, a step needs to specifying what the Additional Data is. 5. Section 1 "Introduction". It would be worth mentioning that an AEAD algorithm is used to provide confidentiality and integrity, along with the model of an AEAD algorithm (fixed length symmetric key; plaintext and Additional Data inputs; iv?; ciphertext and integrity tag outputs). 6. Section 4.1.2. ""enc" (Encryption Method) Header Parameter". Say it is an AEAD algorithm. Explicitly state that the "enc" value must imply a specific key length. A specific key length is required for key agreement or for generating a random CMK. In JWA: 7. Section 4.8.3 "Integrity Calculation for "A128CBC+HS256" and "A256CBC+HS512"" should refer to the Authenticated Data passed to the algorithm. It should not redefine how the Authenticated Data is built from dots and base64url-encodings. 8. Section 4.9 "Plaintext Encryption with AES GCM" similarly should not redefine how the Authenticated Data is built. Choosing to only support AEAD algorithms was a good choice. It should make it easier to understand the security properties. However, at the moment different AEAD algorithm use different inputs for the Authenticated Data portion, which really undermines any understanding of the security. -- James Manger
- [jose] JOSE and JWT specs incorporating working g… Mike Jones
- Re: [jose] JOSE and JWT specs incorporating worki… Vladimir Dzhuvinov / NimbusDS
- Re: [jose] JOSE and JWT specs incorporating worki… Mike Jones
- [jose] xpo Manger, James H
- Re: [jose] xpo Richard Barnes
- [jose] AEAD-only Manger, James H
- Re: [jose] xpo Sean Turner
- Re: [jose] xpo Nat Sakimura
- Re: [jose] xpo Matt Miller (mamille2)