Re: [jose] Choice for WG: Use a KDF with AES CBC or use a longer key

Tue, 13 Nov 2012 16:14:44 -0800 

Using draft-mcgrew-aead-aes-cbc-hmac-sha2 is not the same thing as (1).  For 
instance, as was discussed after David's presentation at IETF 84, 
draft-mcgrew-aead-aes-cbc-hmac-sha2 does not follow the pattern of AEAD 
algorithms such as AES GCM, which have two inputs (plaintext, "additional 
authenticated data"), and two outputs (ciphertext, "authentication tag").  
Instead, it adds a step combining the ciphertext and "authentication tag" 
outputs.

If you read the draft, implementation of draft-mcgrew-aead-aes-cbc-hmac-sha2 
has a lot more steps than what we have for A128CBC+HS256 and A256CBC+HS512.  It 
requires generating and adding specific padding bytes.  It prefixes the 
ciphertext with the IV.  It includes the length of the "additional 
authenticated data" in the MAC calculation.  It combines the two outputs into 
one.  For decryption, likewise, the two outputs must be split apart, the IV 
must be split apart, etc.

All of these are steps that implementations could get wrong, resulting in 
interoperability problems.  By keeping all the parameters separate, our current 
A128CBC+HS256 and A256CBC+HS512 algorithms eliminate those steps.

I'm sorry for the apparent confusion between (1) and 
draft-mcgrew-aead-aes-cbc-hmac-sha2.  While they both explicitly represent the 
CMK and CEK, and use the same underlying crypto operations, the details differ 
in ways that are likely to matter to implementers.  If there was a version of 
draft-mcgrew-aead-aes-cbc-hmac-sha2 that kept all the inputs and outputs 
separate, I agree that it would be a reasonable candidate for JOSE to consider. 
 But unlike AES GCM, that's not what it does.

                                -- Mike

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Manger, 
James H
Sent: Sunday, November 11, 2012 2:24 PM
To: Michael Jones; [email protected]
Subject: Re: [jose] Choice for WG: Use a KDF with AES CBC or use a longer key

> So I’d like to explicitly ask the working group.  Do you want us to:
>
> (1) Use the concatenation of random CEK and CIK values as the CMK for AES 
> CBC, resulting in a longer CMK?
> (2) Continue to use a KDF to generate the CEK and CIK from a shorter CMK?


1. Use draft-mcgrew-aead-aes-cbc-hmac-sha2

--
James Manger
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to