RE: Proposal for adding AES-GCM to XML Encryption 1.1

I have no objections- I can review it this morning.

Cynthia

________________________________________
From: public-xmlsec-request@w3.org [public-xmlsec-request@w3.org] On Behalf Of Frederick Hirsch [Frederick.Hirsch@nokia.com]
Sent: Tuesday, November 10, 2009 8:38 AM
To: ext pratik datta
Cc: Frederick Hirsch; XMLSec WG Public List
Subject: Re: Proposal for adding AES-GCM to XML Encryption 1.1

Does anyone object to adding this as optional to the XML Encryption
1.1 specification before Last Call?

Who can review the text Pratik sent?

regards, Frederick

Frederick Hirsch
Nokia



On Nov 9, 2009, at 6:13 PM, ext pratik datta wrote:

> It will be optional.
>
> At this point I am not in a position to interop with this, but maybe
> in
> a few months.
>
> Pratik
>
> On 11/9/2009 12:25 PM, Frederick Hirsch wrote:
>> Pratik
>>
>> Are you proposing we add it as an Optional or Required to implement
>> algorithm?
>>
>> Who is  in a position to interop test this?
>>
>> regards, Frederick
>>
>> Frederick Hirsch, Nokia
>> Chair XML Security WG
>>
>>
>>
>> On Nov 9, 2009, at 3:18 PM, ext pratik datta wrote:
>>
>>> I am not sure how important AES-GCM is, but  we can consider
>>> adding it
>>> to XML Encryption 1.1.
>>>
>>> NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430
>>> http://www.rfc-archive.org/getrfc.php?rfc=5430)
>>>
>>>
>>>
>>> Here is a preliminary proposal for adding AES-GCM (I had a brief
>>> discussion about GCM with Brian in the F2F)
>>>
>>>
>>> Section 5.1,  (add this to the list of algorithms.)
>>>
>>> http://www.w3.org/2009/xmlenc11#aes128-gcm
>>> http://www.w3.org/2009/xmlenc11#aes256-gcm
>>>
>>>
>>> Section 5.2.3 AES-GCM   (add new section)
>>>
>>> AES-GCM is an authenticated encryption mechanism. I.e. it is
>>> equivalent
>>> to doing these two operations in one step - HMAC signing followed by
>>> AES-CBC encryption. It is very attractive from performance point of
>>> view, because the cost of AES-GCM is similar to regular AES-CBC
>>> encryption, yet it achieves the same result as encryption + HMAC
>>> signing.. Also AES-GCM can be pipelined so it is amenable to
>>> hardware
>>> acceleration..
>>>
>>> Identifiers.
>>> http://www.w3.org/2009/xmlenc11#aes128-gcm
>>> http://www.w3.org/2009/xmlenc11#aes256-gcm
>>>
>>>
>>> AES-GCM is used with a 96 bit Initialization Vector (IV), and a
>>> 128 bit
>>> Authentication Tag (T). The cipher text contains the IV first,
>>> followed
>>> by the T and then finally the encrypted octets. Decryption should
>>> fail
>>> if the authentication tag computed during decryption does not
>>> match the
>>> specified Authentication Tag.
>>>
>>>
>>>
>>>
>>> Pratik
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>

Received on Tuesday, 10 November 2009 13:52:51 UTC