Re: [jose] CAESAR crypto competition’s model of an AEAD algorithm
Richard Barnes <rlb@ipv.sx> Tue, 16 July 2013 23:32 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD24B21F8526 for <jose@ietfa.amsl.com>; Tue, 16 Jul 2013 16:32:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[AWL=-0.228, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1, SUBJECT_FUZZY_TION=0.156]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2w7VkE7ci4z9 for <jose@ietfa.amsl.com>; Tue, 16 Jul 2013 16:32:31 -0700 (PDT)
Received: from mail-oa0-f52.google.com (mail-oa0-f52.google.com [209.85.219.52]) by ietfa.amsl.com (Postfix) with ESMTP id CABE321F8493 for <jose@ietf.org>; Tue, 16 Jul 2013 16:32:30 -0700 (PDT)
Received: by mail-oa0-f52.google.com with SMTP id g12so1637027oah.39 for <jose@ietf.org>; Tue, 16 Jul 2013 16:32:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=frOqTkFcxlP2trf0H4vcGC3Kyolr97RwlzSqev5GcbI=; b=JrIfnopTwn5vIMuveGAom2SWW5F4YkmiwcRviLOiq1/cYKy3HJ9WRwZkqH2/9rcUzn Xt89R+ojS/ORNByL+mIVwsbVp3X7HGfruz0GZiQYJk3pSgHNESmX1dTsBddypJnjmv8K rrOHl/HlaP+XjRJEGRzH1BW9s5G1rUCQQlzyaaqwzB66q/EQnuq7ePedquTHV5GgBw5s 0AP13W8E5KpP4ZCxn4NxHFmsTmnHZck5RrZcemu62NaZj+eyUb079p6sRCbV8kxZV64E 1wj9EM97tSJ/woNtvQ/7CQX7+ZXUljRLc+Owhw4GllE82++hjdk+6C0EPnQVF48VSmnV aZ8Q==
MIME-Version: 1.0
X-Received: by 10.60.97.74 with SMTP id dy10mr4843067oeb.27.1374017550248; Tue, 16 Jul 2013 16:32:30 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Tue, 16 Jul 2013 16:32:30 -0700 (PDT)
X-Originating-IP: [72.66.6.13]
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1151C7C368F@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1151C7C368F@WSMSG3153V.srv.dir.telstra.com>
Date: Tue, 16 Jul 2013 19:32:30 -0400
Message-ID: <CAL02cgS6h8_-rqZ2Vy1Yu3SPL1tY3NdeCeXRjpqky-J6L2cvCA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="089e0115e9faff7bbf04e1a963b0"
X-Gm-Message-State: ALoCoQkgShZBRUob4IW1Z7qHyFoHUnoxhTj1AsftlVrmmF4kX4XWy9k220x3Ev4iTJyGxuQ1R6Jx
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] CAESAR crypto competition’s model of an AEAD algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 23:32:37 -0000
On Tue, Jul 16, 2013 at 12:29 AM, Manger, James H < James.H.Manger@team.telstra.com> wrote: > “CAESAR (Competition for Authenticated Encryption: Security, > Applicability, and Robustness) will identify a portfolio of authenticated > ciphers that offer advantages over AES-GCM and that are suitable for > widespread adoption.”**** > > http://competitions.cr.yp.to/caesar-call-3.html**** > > ** ** > > CAESAR should be of interest to JOSE for its *model* of AEAD algorithms. > Slotting any CAESAR algorithm into JOSE (eg mapping JOSE fields to > crypto_aead_decrypt() arguments) should be trivial once a “alg” string is > picked. CAESAR says an AEAD algorithm has 5 inputs (plaintext, associated > data, secret message number, public message number, and a key) and 1 output > (ciphertext).**** > > ** > Thanks for the pointer. I agree that being able to use these algorithms easily with JOSE is a good objective. > ** > > “Message number” is unusual terminology for a nonce, but reflect the fact > that only part of the nonce might be in a message (ie only the public > message number). This mainly corresponds to ‘iv’ in JOSE, which is sometime > a dot-separated B64 segment, and sometimes a header parameter.**** > > ** ** > > A more important clash between CAESAR and JOSE is JOSE’s ‘tag’ field that > does not exist as a distinct item in the CAESAR model. [One more reason to > fix issue #11 properly.] > I don't view that as a huge issue. The "tag" field can simply be omitted for AEAD algorithms that don't have an explicit tag. IIRC, that was the resolution when we discussed CCM earlier. (In the current JWE draft, "tag" is required to be present only when the "JWE Authentication Tag" is non-empty.) > ** > > P.S. While I’m talking about AEAD tags, the latest change to A128GCMKW > moves the key wrap tag from outside the AAD to inside the AAD of the > subsequent content encryption. Are they any implications for this change to > the security properties? > This is the real issue. In order to be able to cleanly encode an AAD operation (without special JOSE cruft in the inputs), we need the ability to specify an explicit AAD value, as was added in -13. (The text in -13 isn't quite right, though, because it requires that the AAD be base64-encoded before use.) --Richard > **** > > --**** > > James Manger**** > > ** ** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] CAESAR crypto competition’s model of an AE… Manger, James H
- Re: [jose] CAESAR crypto competition’s model of a… Richard Barnes