Re: AES-CMAC - MAC lengths other than 128 from Ryan Sleevi on 2014-02-21 (public-webcrypto@w3.org from February 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 21 Feb 2014 07:47:20 -0800
To: Richard Barnes <rlb@ipv.sx>
Cc: Mark Watson <watsonm@netflix.com>, Jim Schaad <ietf@augustcellars.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvbo+bT_3dZ33ptg1Z-vjdYpZuErjK7LKHNcYwfOvteuJQ@mail.gmail.com>

On Feb 21, 2014 7:25 AM, "Richard Barnes" <rlb@ipv.sx> wrote:
>
> For generation: Can't the JS truncate the MAC after it gets the full
result back?
>
> For verification: I'm wary of having the API accept arbitrarily short
MACs.  You would need to specify acceptable lengths in order to avoid
things like an 8-bit MAC being accepted.  Is there standard practice /
documentation for these lengths?
>

Richard,

Is this the same concern you express regarding defaults? That is, that you
want the API to be more high-level than it is?

We already support arbitrary GCM tag lengths, I'm inclined to agree with
Jim that we should keep parity with that (and HMAC).

Disallowing this just encourages developers to do truncation and
verification themselves, in non-constant time.

>
> On Thu, Feb 20, 2014 at 10:55 PM, Jim Schaad <ietf@augustcellars.com>
wrote:
>>
>> Starting with the editorial note in section 18.12.1 – I would be  a
strong advocate that MAC lengths other than 128 should be supported by the
algorithm.  There is a section of the security community (no comment as it
the correctness of its view) that states that security is increased by
truncating the MAC from 128 to 96 bits.  This is a feature that people will
want supported.
>>
>>
>>
>> Jim
>>
>>
>
>

Received on Friday, 21 February 2014 15:47:47 UTC