Hi Mike, > From: Mike Jones > <[email protected]<mailto:[email protected]>> > Date: Monday, November 12, 2012 1:55 PM > To: Cisco Employee <[email protected]<mailto:[email protected]>>, > "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>>, > "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>> > Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, > version 01 > > As background, if there was a version of this spec that did not assume > that the parameters would be concatenated together in a specific way, but > left them as independent inputs and outputs, as AES GCM and AES CTR do, it > would be a better match for JOSEs use case.
I encourage you to look into SIV mode, an AEAD scheme found in RFC 5297. SIV was defined by Rogaway and Shrimpton (in a paper found in the RFC) and is provably secure. It takes a vector of input as additional authenticated data which will be authenticated, and a plaintext which will be authenticated and encrypted. It does not assume that the parameters are concatenated together, it's just a vector of separate inputs. Additionally, SIV mode does not require a random IV/nonce. It works just fine if you have one, and it won't collapse if it is repeated (as GCM does) or is predictable (as CBC-HMAC does), and it works if you don't have, or want to have, one. In that fashion it is more robust than other AEAD schemes. The downside is that it's slower than GCM but is probably faster than CBC-HMAC with SHA2. regards, Dan. _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
