Proposal for adding AES-GCM to XML Encryption 1.1 from pratik datta on 2009-11-09 (public-xmlsec@w3.org from November 2009)

From: pratik datta <pratik.datta@oracle.com>
Date: Mon, 09 Nov 2009 12:18:01 -0800
To: XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <4AF878F9.9010808@oracle.com>

I am not sure how important AES-GCM is, but  we can consider adding it 
to XML Encryption 1.1. 

NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430 
http://www.rfc-archive.org/getrfc.php?rfc=5430)



Here is a preliminary proposal for adding AES-GCM (I had a brief 
discussion about GCM with Brian in the F2F)


Section 5.1,  (add this to the list of algorithms.)

http://www.w3.org/2009/xmlenc11#aes128-gcm
http://www.w3.org/2009/xmlenc11#aes256-gcm


Section 5.2.3 AES-GCM   (add new section)

AES-GCM is an authenticated encryption mechanism. I.e. it is equivalent 
to doing these two operations in one step - HMAC signing followed by  
AES-CBC encryption. It is very attractive from performance point of 
view, because the cost of AES-GCM is similar to regular AES-CBC 
encryption, yet it achieves the same result as encryption + HMAC 
signing.. Also AES-GCM can be pipelined so it is amenable to hardware 
acceleration..

Identifiers.
http://www.w3.org/2009/xmlenc11#aes128-gcm
http://www.w3.org/2009/xmlenc11#aes256-gcm


AES-GCM is used with a 96 bit Initialization Vector (IV), and a 128 bit 
Authentication Tag (T). The cipher text contains the IV first, followed 
by the T and then finally the encrypted octets. Decryption should fail 
if the authentication tag computed during decryption does not match the 
specified Authentication Tag.




Pratik

Received on Monday, 9 November 2009 20:19:48 UTC