Hi Mike,
From: Mike Jones
<[email protected]<mailto:[email protected]>>
Date: Monday, November 12, 2012 1:55 PM
To: Cisco Employee <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>
Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version
01
As background, if there was a version of this spec that did not assume that the
parameters would be concatenated together in a specific way, but left them as
independent inputs and outputs, as AES GCM and AES CTR do, it would be a better
match for JOSE’s use case.
I believe that what you are referring to is the inclusion of the authentication
tag in the authenticated ciphertext. This is not just a property of
draft-mcgrew-aead-aes-cbc-hmac-sha2; it is a feature of all 19 of the AEAD
algorithms that have been defined so far. For comparison,
draft-mcgrew-aead-aes-cbc-hmac-sha2 says
The AEAD Ciphertext consists of the string S, with the string T
appended to it. This Ciphertext is returned as the output of the
AEAD encryption operation.
Where S is the ciphertext and T is the authentication tag. RFC 5116 says
"The AEAD_AES_128_GCM ciphertext is formed
by
appending the authentication tag provided as an output to the GCM
encryption operation to the ciphertext that is output by that
operation."
David
-- Mike
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of David McGrew (mcgrew)
Sent: Monday, November 12, 2012 10:21 AM
To: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]>
Subject: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, version 01
Hi,
There is a new version of "Authenticated Encryption with AES-CBC and HMAC-SHA",
and I would appreciate your review. It is online at
<https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/?include_text=1><https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/?include_text=1%3e>
The diff between the current and the previous version is available at
<http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-01><http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-01%3e>
This draft has been proposed for use in the JOSE WG
<http://datatracker.ietf.org/wg/jose/><http://datatracker.ietf.org/wg/jose/%3e>
, where its adoption would allow the working group to omit "raw"
unauthenticated encryption, e.g. AES-CBC, and only include authenticated
encryption. Thus I am asking for your help in making
John Foley generated test cases that correspond to the current version of the
draft, but I didn't include these in the draft because I did not yet get
confirmation from a second independent implementation. With hope, there will
not be any need for any normative changes, and I will include these after I get
confirmation.
Thanks,
David
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
