- From: David McGrew <mcgrew@cisco.com>
- Date: Fri, 15 Jun 2012 12:24:33 -0400
- To: public-webcrypto@w3.org
- Cc: Kenny Paterson <Kenny.Paterson@rhul.ac.uk>
Hi, I propose that webcrypto encourage the use of authenticated encryption with associated data (AEAD) instead of non-authenticated symmetric encryption such as raw CBC mode. From a security perspective, it would be best to only allow encryption that is tightly bound to authentication, but I am suggesting that the standard make AEAD a should-implement and not a must-implement for the obvious reason of backwards compatibility with existing implementations. There are dedicated AEAD modes like CCM and GCM, but some implementations may want to use CBC and HMAC because those modes are already implemented, or because the do not want to manage the deterministic nonces that CCM and GCM require. I recently submitted a draft (joint work with Kenny) that defines AEAD algorithms based on CBC and HMAC. I believe that this work would be suitable for use in webcrypto, and would actually simplify the API. For instance, in David Dahl's algorithm ideas, the CBC-HMAC algorithms would have the same interface as the GCM algorithm. The draft is at <http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-00>; here is the abstract: This document specifies algorithms for authenticated encryption with associated data (AEAD) that are based on the composition of the Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC) mode of operation for encryption, and the HMAC-SHA message authentication code (MAC). These are randomized encryption algorithms, and thus are suitable for use with applications that cannot provide distinct nonces to each invocation of the AEAD encrypt operation. Comments on the draft itself and on suitability for this WG are welcome. I have been on travel recently and I am not caught up with all threads on the list yet; apologies if I have missed some prior discussion of these points. regards, David
Received on Friday, 15 June 2012 16:27:40 UTC