RE: Proposal for adding AES-GCM to XML Encryption 1.1 from Magnus Nystrom on 2009-11-10 (public-xmlsec@w3.org from November 2009)

From: Magnus Nystrom <mnystrom@microsoft.com>
Date: Tue, 10 Nov 2009 17:18:42 +0000
To: Frederick Hirsch <Frederick.Hirsch@nokia.com>, ext pratik datta <pratik.datta@oracle.com>
CC: XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <1081D4CDDC85CF4491AFD941A52242EF298CD315@TK5EX14MBXW653.wingroup.windeploy.ntde>

Maybe adding a reference to, e.g. NIST SP 800-38D (there are also some details in RFC 5288 on the use of nonces and authentication tags)?

-- Magnus


> -----Original Message-----
> From: public-xmlsec-request@w3.org [mailto:public-xmlsec-
> request@w3.org] On Behalf Of Frederick Hirsch
> Sent: Tuesday, November 10, 2009 5:39 AM
> To: ext pratik datta
> Cc: Frederick Hirsch; XMLSec WG Public List
> Subject: Re: Proposal for adding AES-GCM to XML Encryption 1.1
> 
> Does anyone object to adding this as optional to the XML Encryption
> 1.1 specification before Last Call?
> 
> Who can review the text Pratik sent?
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
> 
> 
> On Nov 9, 2009, at 6:13 PM, ext pratik datta wrote:
> 
> > It will be optional.
> >
> > At this point I am not in a position to interop with this, but maybe
> > in
> > a few months.
> >
> > Pratik
> >
> > On 11/9/2009 12:25 PM, Frederick Hirsch wrote:
> >> Pratik
> >>
> >> Are you proposing we add it as an Optional or Required to implement
> >> algorithm?
> >>
> >> Who is  in a position to interop test this?
> >>
> >> regards, Frederick
> >>
> >> Frederick Hirsch, Nokia
> >> Chair XML Security WG
> >>
> >>
> >>
> >> On Nov 9, 2009, at 3:18 PM, ext pratik datta wrote:
> >>
> >>> I am not sure how important AES-GCM is, but  we can consider
> >>> adding it
> >>> to XML Encryption 1.1.
> >>>
> >>> NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430
> >>> http://www.rfc-archive.org/getrfc.php?rfc=5430)
> >>>
> >>>
> >>>
> >>> Here is a preliminary proposal for adding AES-GCM (I had a brief
> >>> discussion about GCM with Brian in the F2F)
> >>>
> >>>
> >>> Section 5.1,  (add this to the list of algorithms.)
> >>>
> >>> http://www.w3.org/2009/xmlenc11#aes128-gcm
> >>> http://www.w3.org/2009/xmlenc11#aes256-gcm
> >>>
> >>>
> >>> Section 5.2.3 AES-GCM   (add new section)
> >>>
> >>> AES-GCM is an authenticated encryption mechanism. I.e. it is
> >>> equivalent
> >>> to doing these two operations in one step - HMAC signing followed
> by
> >>> AES-CBC encryption. It is very attractive from performance point of
> >>> view, because the cost of AES-GCM is similar to regular AES-CBC
> >>> encryption, yet it achieves the same result as encryption + HMAC
> >>> signing.. Also AES-GCM can be pipelined so it is amenable to
> >>> hardware
> >>> acceleration..
> >>>
> >>> Identifiers.
> >>> http://www.w3.org/2009/xmlenc11#aes128-gcm
> >>> http://www.w3.org/2009/xmlenc11#aes256-gcm
> >>>
> >>>
> >>> AES-GCM is used with a 96 bit Initialization Vector (IV), and a
> >>> 128 bit
> >>> Authentication Tag (T). The cipher text contains the IV first,
> >>> followed
> >>> by the T and then finally the encrypted octets. Decryption should
> >>> fail
> >>> if the authentication tag computed during decryption does not
> >>> match the
> >>> specified Authentication Tag.
> >>>
> >>>
> >>>
> >>>
> >>> Pratik
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> 
>

Received on Tuesday, 10 November 2009 17:19:24 UTC