On Apr 11, 2013, at 8:37 PM, "Manger, James H" <[email protected]> wrote:
> Karen, > I think this poll conflates 2 issues: a) making the integrity check value > part of the ciphertext (as per RFC 5116); and b) not treating the IV in > CBC-HMAC as an (app-supplied) AEAD nonce, but as part of the randomized > (crypto-library-supplied) ciphertext (as per > draft-mcgrew-aead-aes-cbc-hmac-sha2). > > RFC 5116 “An interface and algorithms for authenticated encryption” has a > nonce (N) and a separate field to the ciphertext. N is a separate input to > the encryption and decryption operations. > draft-mcgrew-aead-aes-cbc-hmac-sha2 defines AEAD algorithms that take a > zero-length nonce, but prefix the ciphertext with a random IV. > > > So my answer to the poll: > > 2b. > Switch to using RFC 5116. > A JWE should have separate nonce and ciphertext fields (but no separate > integrity value field). > JWE should use the term “nonce”, instead of “initialization vector”. > Any integrity value that an algorithm creates should be part of the > ciphertext. > When draft-mcgrew-aead-aes-cbc-hmac-sha2 is used as the AEAD algorithm the > nonce field will be empty, and the ciphertext field will be a concatenation > of an IV, AES output, and the truncated HMAC output. > My preference is also this 2b (or would it be 3?). - m&m Matt Miller < [email protected] > Cisco Systems, Inc.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
