Re: Bug #22570 - AES-GCM should provide distinct inputs/outputs for tag

On Fri, Jan 24, 2014 at 4:37 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> At this point, am I correct in assuming that the only issue for this bug
> is to do the edits in the document that the decision to make the tag and
> nonce separate items?
>
>
>
> If not then can we start the discussion on this issue.
>

We discussed this at length during the F2F.

It does not make sense to make this part of the general encrypt()
interface, since it presumes encrypt() can only ever be used with
particular AEAD algorithms, which is not the case (RSA encryption is an
example).

As such, it only makes sense if it's included in the algorithm parameters,
which is odd to "mix in" data in that way. It also prevents streaming
encryption/decryption operations (which, to be fair, AEAD algorithms are
pretty good at doing already), by forcing the application developer to
manually do the split / reconstruction.

That said, having the tag *precede* the ciphertext, rather than *follow*
it, is strongly encouraged.


>
>
> I would also like to point out that the JOSE working group decided that
> the data encryption and key encryption versions of AES-GCM would have
> different names.  Thus there is A128GCM and A128GCMKW.  This decision was
> made for cryptographic purity reasons (don’t mix different types of
> input).  I don’t know if we want to follow that decision here as well.
>
>
>
> Jim
>
>
>

If you want to make a cryptographic purity argument, I'd encourage you to
try, because I can see no such argument with respect to AES-GCM here, or
AEAD algorithms in general. Nor was RFC 5116 particularly worried about
such "cryptographic purity" (specifically, see Section 2.3 " This document
does not specify any particular encoding for the AEAD inputs and outputs,
since the encoding does not affect the security services provided by an
AEAD algorithm."), which the CFRG was involved in.