If I am understanding the document correctly, you're talkinbg about the mechanism in S 5.1, bullet #4, in which the shared symmetric key is used directly to encrypt the content?
I'm generally not super-excited about modes like this, for a number of reasons: 1. They place an enormous amount of stress on the IV mechanism. As a concrete example, if you use GCM with fresh keys for every message then a low-entropy nonce is safe (thogh bad practive). However, if you ever reuse a key, then low entropy becomes a serious issue. 2. As Richard says, it's not standard practice. Is there a performance or such-like reason to allow this mode? -Ekr On Fri, Jan 18, 2013 at 3:24 PM, jose issue tracker < [email protected]> wrote: > #8: Direct mode for key agreement needs security analysis > > JWE specifies a "direct encryption" method, in which the output of key > agreement is used for content encryption instead of key wrapping. This > scheme is not used in other IETF security protocols that use key > agreement, e.g., CMS or IPsec. CMS uses the agreed key for wrapping. > IPsec uses it to key the IKE SA, which covers further key agreement. The > security considerations needs to justify why this scheme is secure, and > any relevant constraints (e.g., lifetime of DH keys). > > -- > -------------------------+------------------------------------------------- > Reporter: | Owner: draft-ietf-jose-json-web- > [email protected] | [email protected] > Type: defect | Status: new > Priority: major | Milestone: > Component: json-web- | Version: > encryption | Keywords: > Severity: Active WG | > Document | > -------------------------+------------------------------------------------- > > Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/8> > jose <http://tools.ietf.org/jose/> > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
