- From: Magnus Nystrom <mnystrom@microsoft.com>
- Date: Tue, 10 Nov 2009 17:18:42 +0000
- To: Frederick Hirsch <Frederick.Hirsch@nokia.com>, ext pratik datta <pratik.datta@oracle.com>
- CC: XMLSec WG Public List <public-xmlsec@w3.org>
Maybe adding a reference to, e.g. NIST SP 800-38D (there are also some details in RFC 5288 on the use of nonces and authentication tags)? -- Magnus > -----Original Message----- > From: public-xmlsec-request@w3.org [mailto:public-xmlsec- > request@w3.org] On Behalf Of Frederick Hirsch > Sent: Tuesday, November 10, 2009 5:39 AM > To: ext pratik datta > Cc: Frederick Hirsch; XMLSec WG Public List > Subject: Re: Proposal for adding AES-GCM to XML Encryption 1.1 > > Does anyone object to adding this as optional to the XML Encryption > 1.1 specification before Last Call? > > Who can review the text Pratik sent? > > regards, Frederick > > Frederick Hirsch > Nokia > > > > On Nov 9, 2009, at 6:13 PM, ext pratik datta wrote: > > > It will be optional. > > > > At this point I am not in a position to interop with this, but maybe > > in > > a few months. > > > > Pratik > > > > On 11/9/2009 12:25 PM, Frederick Hirsch wrote: > >> Pratik > >> > >> Are you proposing we add it as an Optional or Required to implement > >> algorithm? > >> > >> Who is in a position to interop test this? > >> > >> regards, Frederick > >> > >> Frederick Hirsch, Nokia > >> Chair XML Security WG > >> > >> > >> > >> On Nov 9, 2009, at 3:18 PM, ext pratik datta wrote: > >> > >>> I am not sure how important AES-GCM is, but we can consider > >>> adding it > >>> to XML Encryption 1.1. > >>> > >>> NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430 > >>> http://www.rfc-archive.org/getrfc.php?rfc=5430) > >>> > >>> > >>> > >>> Here is a preliminary proposal for adding AES-GCM (I had a brief > >>> discussion about GCM with Brian in the F2F) > >>> > >>> > >>> Section 5.1, (add this to the list of algorithms.) > >>> > >>> http://www.w3.org/2009/xmlenc11#aes128-gcm > >>> http://www.w3.org/2009/xmlenc11#aes256-gcm > >>> > >>> > >>> Section 5.2.3 AES-GCM (add new section) > >>> > >>> AES-GCM is an authenticated encryption mechanism. I.e. it is > >>> equivalent > >>> to doing these two operations in one step - HMAC signing followed > by > >>> AES-CBC encryption. It is very attractive from performance point of > >>> view, because the cost of AES-GCM is similar to regular AES-CBC > >>> encryption, yet it achieves the same result as encryption + HMAC > >>> signing.. Also AES-GCM can be pipelined so it is amenable to > >>> hardware > >>> acceleration.. > >>> > >>> Identifiers. > >>> http://www.w3.org/2009/xmlenc11#aes128-gcm > >>> http://www.w3.org/2009/xmlenc11#aes256-gcm > >>> > >>> > >>> AES-GCM is used with a 96 bit Initialization Vector (IV), and a > >>> 128 bit > >>> Authentication Tag (T). The cipher text contains the IV first, > >>> followed > >>> by the T and then finally the encrypted octets. Decryption should > >>> fail > >>> if the authentication tag computed during decryption does not > >>> match the > >>> specified Authentication Tag. > >>> > >>> > >>> > >>> > >>> Pratik > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > >> > >
Received on Tuesday, 10 November 2009 17:19:24 UTC