W3C home > Mailing lists > Public > public-xmlsec@w3.org > November 2009

Re: Proposal for adding AES-GCM to XML Encryption 1.1

From: pratik datta <pratik.datta@oracle.com>
Date: Mon, 09 Nov 2009 15:13:30 -0800
Message-ID: <4AF8A21A.9030300@oracle.com>
To: Frederick Hirsch <frederick.hirsch@nokia.com>
CC: XMLSec WG Public List <public-xmlsec@w3.org>
It will be optional.

At this point I am not in a position to interop with this, but maybe in 
a few months.

Pratik

On 11/9/2009 12:25 PM, Frederick Hirsch wrote:
> Pratik
>
> Are you proposing we add it as an Optional or Required to implement 
> algorithm?
>
> Who is  in a position to interop test this?
>
> regards, Frederick
>
> Frederick Hirsch, Nokia
> Chair XML Security WG
>
>
>
> On Nov 9, 2009, at 3:18 PM, ext pratik datta wrote:
>
>> I am not sure how important AES-GCM is, but  we can consider adding it
>> to XML Encryption 1.1.
>>
>> NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430
>> http://www.rfc-archive.org/getrfc.php?rfc=5430)
>>
>>
>>
>> Here is a preliminary proposal for adding AES-GCM (I had a brief
>> discussion about GCM with Brian in the F2F)
>>
>>
>> Section 5.1,  (add this to the list of algorithms.)
>>
>> http://www.w3.org/2009/xmlenc11#aes128-gcm
>> http://www.w3.org/2009/xmlenc11#aes256-gcm
>>
>>
>> Section 5.2.3 AES-GCM   (add new section)
>>
>> AES-GCM is an authenticated encryption mechanism. I.e. it is equivalent
>> to doing these two operations in one step - HMAC signing followed by
>> AES-CBC encryption. It is very attractive from performance point of
>> view, because the cost of AES-GCM is similar to regular AES-CBC
>> encryption, yet it achieves the same result as encryption + HMAC
>> signing.. Also AES-GCM can be pipelined so it is amenable to hardware
>> acceleration..
>>
>> Identifiers.
>> http://www.w3.org/2009/xmlenc11#aes128-gcm
>> http://www.w3.org/2009/xmlenc11#aes256-gcm
>>
>>
>> AES-GCM is used with a 96 bit Initialization Vector (IV), and a 128 bit
>> Authentication Tag (T). The cipher text contains the IV first, followed
>> by the T and then finally the encrypted octets. Decryption should fail
>> if the authentication tag computed during decryption does not match the
>> specified Authentication Tag.
>>
>>
>>
>>
>> Pratik
>>
>>
>>
>>
>>
>>
>>
>>
>
>
Received on Monday, 9 November 2009 23:16:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:44:00 GMT