Re: [jose] [OAUTH-WG] JWE with A128CBC-HS256

Mon, 31 Mar 2014 05:34:41 -0700 

Thanks,  I will have a look.

On Mar 31, 2014, at 3:43 AM, Antonio Sanso <[email protected]> wrote:

> thanks a lot John,
> 
> On Mar 28, 2014, at 5:09 PM, John Bradley <[email protected]> wrote:
> 
>> This reference may be useful to you. 
>> http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2
>> 
>> The part of the spec you need is  
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-24#page-23
>> 
>> We originally used a KDF as you mention.  In order to simplify the alg and 
>> align with draft-mcgrew-aead-aes-cbc-hmac-sha2.
>> 
>> K is the concatenation of the AES key and teh HMAC Key.
> 
> question,  are the examples in the spec already updated to use the new 
> mechanism? 
> There are some obsolete references in the JWE spec. E.g. in [2] says:
> 
> as described where this algorithm is
>    defined in Sections 4.8 and 4.8.3 of JWA,
> 
> These sections seems to point to on old version of the spec (Section 4.8.3 
> doesn’t even exist anymore in JWA)
> 
> regards
> 
> antonio
> 
> [2] 
> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix-B
> 
>> 
>> John B.
>> 
>> 
>> On Mar 28, 2014, at 11:19 AM, Antonio Sanso <[email protected]> wrote:
>> 
>>> hi *,
>>> 
>>> in the JWT specification [0] there is an example of a JWE that use 
>>> A128CBC-HS256 for content encrpyption.
>>> Now I am not a cryptographer my self but IIUC the same CEK is used for 
>>> encrypting with AES and authentication HMAC.
>>> 
>>> AFAIK is better to use two different keys for those 2 different primitives 
>>> (this will not obviously apply to AES_GCM).
>>> 
>>> Unless I am missing something... :)
>>> 
>>> regards
>>> 
>>> antonio
>>> 
>>> [0] 
>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#appendix-A.1
>>> [1] 
>>> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-24#appendix-A.2
>>> _______________________________________________
>>> OAuth mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to