- From: Jim Schaad <ietf@augustcellars.com>
- Date: Thu, 28 Jan 2016 08:17:42 -0800
- To: "'Mitar'" <mmitar@gmail.com>, <public-webcrypto@w3.org>
> -----Original Message----- > From: Mitar [mailto:mmitar@gmail.com] > Sent: Thursday, January 28, 2016 12:26 AM > To: public-webcrypto@w3.org > Subject: Please reconsider re-adding AES-CMAC > > Hi! > > To my understanding reading from minutes the only reason to remove AES- > CMAC from the standard is because it was not implemented in browsers? But > isn't this chicken and egg problem? Because AES-CMAC has some quite nice > security properties and analysis, it is standardized > (https://tools.ietf.org/html/rfc4493). Its inclusion would help a lot with > interoperability with other systems. For example, Elliptic curve Diffie–Hellman > shared secret generation which could be used as a shared encryption key can be > done by deriving bits and then send those bits through AES-CMAC signing to > generate a key (it is not recommended to use directly the output of the derived > bits like it is done with web standards' deriveKey). Without AES-CMAC in web > standards it is not possible to generate such shared key which would work > together with some other system which is using it. This is not a solid cryptographic method to produce generate the shared key. It would require other things to be done as well. 1. ECDH does not generate a uniformly random secret, this combined with the fact that AES-CMAC is not going to be a top notch PRF means that you are going to have bias in the resulting key. 2. You need to deal with the fact that ECDH does not necessarily generate usable outputs for use as a key to AES-CMAC. P-521 is not an input size for any AES algorithm. I have been investigating this as part of the COSE work being done in the IETF and have consulted a couple of well=known cryptographic experts to get these opinions. This should not be done for the reason cited. I have no opinion on using AES-CMAC rather than AES-CBC-MAC merely as a MAC operation. Jim > > Concretely, new Intel SGX CPU instructions have support for AES-CMAC and uses > the algorithm described above to generate shared key based on ECDH. Those > instructions are available in the SGX SDK, backed by native CPU instructions. By > using only those functions one does not have to additionally increase the trusted > codebase with a 3rd party crypto library. > > See: > > https://software.intel.com/sites/default/files/managed/d5/e7/Intel-SGX-SDK- > Users-Guide-for-Windows-OS.pdf > > Section "Cryptography Library". > > So I would like to propose that AES-CMAC is added to the web crypto standard. > > > Mitar > > -- > http://mitar.tnode.com/ > https://twitter.com/mitar_m
Received on Thursday, 28 January 2016 16:20:46 UTC