On Tue, Jul 16, 2013 at 12:29 AM, Manger, James H < [email protected]> wrote:
> “CAESAR (Competition for Authenticated Encryption: Security, > Applicability, and Robustness) will identify a portfolio of authenticated > ciphers that offer advantages over AES-GCM and that are suitable for > widespread adoption.”**** > > http://competitions.cr.yp.to/caesar-call-3.html**** > > ** ** > > CAESAR should be of interest to JOSE for its *model* of AEAD algorithms. > Slotting any CAESAR algorithm into JOSE (eg mapping JOSE fields to > crypto_aead_decrypt() arguments) should be trivial once a “alg” string is > picked. CAESAR says an AEAD algorithm has 5 inputs (plaintext, associated > data, secret message number, public message number, and a key) and 1 output > (ciphertext).**** > > ** > Thanks for the pointer. I agree that being able to use these algorithms easily with JOSE is a good objective. > ** > > “Message number” is unusual terminology for a nonce, but reflect the fact > that only part of the nonce might be in a message (ie only the public > message number). This mainly corresponds to ‘iv’ in JOSE, which is sometime > a dot-separated B64 segment, and sometimes a header parameter.**** > > ** ** > > A more important clash between CAESAR and JOSE is JOSE’s ‘tag’ field that > does not exist as a distinct item in the CAESAR model. [One more reason to > fix issue #11 properly.] > I don't view that as a huge issue. The "tag" field can simply be omitted for AEAD algorithms that don't have an explicit tag. IIRC, that was the resolution when we discussed CCM earlier. (In the current JWE draft, "tag" is required to be present only when the "JWE Authentication Tag" is non-empty.) > ** > > P.S. While I’m talking about AEAD tags, the latest change to A128GCMKW > moves the key wrap tag from outside the AAD to inside the AAD of the > subsequent content encryption. Are they any implications for this change to > the security properties? > This is the real issue. In order to be able to cleanly encode an AAD operation (without special JOSE cruft in the inputs), we need the ability to specify an explicit AAD value, as was added in -13. (The text in -13 isn't quite right, though, because it requires that the AAD be base64-encoded before use.) --Richard > **** > > --**** > > James Manger**** > > ** ** > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
