Mike, There are two possible reasons for me to make the statement.
First - that it is unacceptable that we are making the statement that the use of AES-GCM - the current standard AEAD algorithm - cannot be used with this or Second - that the statement of non-use is insufficiently broad to cover the needed cases. The correct statement would be that This JSON serialization format re-uses the same IV/Key pair for multiple recipients. This means that the algorithm used MUST NOT have any issues with IV/Key pair re-use. It is known at this time this will eliminate the ability to use any algorithm which uses counter mode for encryption. Among the AEAD algorithms that use counter mode for their encryption mode is AES-GCM and thus AES-GCM MUST NOT be used with multiple recipients. It is noted that almost all (if not all) of the current crop of AEAD algorithms are using CTR mode and thus cannot be used with this specification. Jim > -----Original Message----- > From: Mike Jones [mailto:[email protected]] > Sent: Wednesday, April 24, 2013 11:48 PM > To: Jim Schaad > Cc: [email protected] > Subject: RE: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt > > Jim - I am surprised that you would say that my co-authors Eric Rescorla or Joe > Hildebrand or the working group would advocate using AES GCM in a way that > would result in severe security vulnerabilities - in particular, allowing > attackers to obtain the XOR of the messages to multiple recipients encrypted > using GCM - a vulnerability identified by the CFRG. > > Not stating this in the document would seem to me to be highly irresponsible, > given the brittleness of GCM in this regard, as identified by the CRFG. As I said > to Richard Barnes over dinner last night, while unpleasant, and possibly > surprising to those who aren't familiar to how GCM actually works, as an > editor, I viewed including the statement that "AES GCM MUST NOT be used > when using the JWE JSON Serialization for multiple recipients, since this would > result in the same Initialization Vector and Plaintext values being used for > multiple GCM encryptions" as necessary, and "truth in advertising". > > -- Mike > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of Jim > Schaad > Sent: Wednesday, April 24, 2013 9:07 PM > To: Mike Jones > Cc: [email protected] > Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt > > Mike, > > AES GCM MUST NOT be used when using the JWE JSON Serialization for > multiple recipients, since this would result in the same > Initialization Vector and Plaintext values being used for multiple > GCM encryptions. > > I doubt your co-authors would agree with this. > I doubt the working group with agree with this. > I know that at least one co-chair does not agree with this I can predict that the > AD and IESG along with the security directorate would crucify me if I allowed > this to stand in the document.. > > Jim > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of [email protected] > > Sent: Tuesday, April 23, 2013 5:29 PM > > To: [email protected] > > Cc: [email protected] > > Subject: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Javascript Object Signing and > > Encryption Working Group of the IETF. > > > > Title : JSON Web Encryption (JWE) > > Author(s) : Michael B. Jones > > Eric Rescorla > > Joe Hildebrand > > Filename : draft-ietf-jose-json-web-encryption-09.txt > > Pages : 54 > > Date : 2013-04-23 > > > > Abstract: > > JSON Web Encryption (JWE) is a means of representing encrypted > > content using JavaScript Object Notation (JSON) data structures. > > Cryptographic algorithms and identifiers for use with this > > specification are described in the separate JSON Web Algorithms (JWA) > > specification. Related digital signature and MAC capabilities are > > described in the separate JSON Web Signature (JWS) specification. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption > > > > There's also a htmlized version available at: > > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09 > > > > A diff from the previous version is available at: > > http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-json-web-encryption-0 > > 9 > > > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > jose mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
