On 11/12/12 3:21 PM, "Dan Harkins" <[email protected]> wrote:
> > Hi Mike, > >> From: Mike Jones >> <[email protected]<mailto:[email protected]>> >> Date: Monday, November 12, 2012 1:55 PM >> To: Cisco Employee <[email protected]<mailto:[email protected]>>, >> "[email protected]<mailto:[email protected]>" >> <[email protected]<mailto:[email protected]>>, >> "[email protected]<mailto:[email protected]>" >> <[email protected]<mailto:[email protected]>> >> Subject: RE: [Cfrg] Authenticated Encryption with AES-CBC and HMAC-SHA, >> version 01 >> >> As background, if there was a version of this spec that did not assume >> that the parameters would be concatenated together in a specific way, >>but >> left them as independent inputs and outputs, as AES GCM and AES CTR do, >>it >> would be a better match for JOSEĀ¹s use case. > > I encourage you to look into SIV mode, an AEAD scheme found in >RFC 5297. SIV was defined by Rogaway and Shrimpton (in a paper >found in the RFC) and is provably secure. > > It takes a vector of input as additional authenticated data which will >be authenticated, and a plaintext which will be authenticated and >encrypted. It does not assume that the parameters are concatenated >together, it's just a vector of separate inputs. > > Additionally, SIV mode does not require a random IV/nonce. It works >just fine if you have one, and it won't collapse if it is repeated (as GCM >does) or is predictable (as CBC-HMAC does), and it works if you don't >have, or want to have, one. In that fashion it is more robust than other >AEAD schemes. The downside is that it's slower than GCM but is probably >faster than CBC-HMAC with SHA2. AES-SIV is in several ways technically superior to AES-CBC-HMAC-SHA. However, the motivation to use the latter algorithm is its widespread availability, as I understand it. Mike and some other folks did a survey of what crypto that is available. (Perhaps someone can send a reference, it is a good survey.) Despite SIV's flexibility, it doesn't address Mike's complaint, because it does not have an authentication tag that is separate from the ciphertext. Instead, it has the synthetic IV (which acts like an auth tag) combined with the ciphertext. As an aside, if SIV is used for JOSE, it can use the RFC 5116 interface (see Sections 6.1-6.3 of the SIV RFC) and essentially would need to do so. David > > regards, > > Dan. > > > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
