Re: Proposal for adding AES-GCM to XML Encryption 1.1 from pratik datta on 2009-11-10 (public-xmlsec@w3.org from November 2009)

From: pratik datta <pratik.datta@oracle.com>
Date: Tue, 10 Nov 2009 09:21:13 -0800
To: "Martin, Cynthia E." <cemartin@mitre.org>
CC: Frederick Hirsch <Frederick.Hirsch@nokia.com>, XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <4AF9A109.8090605@oracle.com>

One more thing - from the NSA Suite B docs, it appears to me that they 
prefer AES-GCM mode over the AES-CBC mode, because they recommend it in TLS.
Brian/Kevin/Magnus who have looked at the NSA Suite B docs carefully can 
also review this.

Pratik

On 11/10/2009 5:51 AM, Martin, Cynthia E. wrote:
> I have no objections- I can review it this morning.
>
> Cynthia
>
> ________________________________________
> From: public-xmlsec-request@w3.org [public-xmlsec-request@w3.org] On Behalf Of Frederick Hirsch [Frederick.Hirsch@nokia.com]
> Sent: Tuesday, November 10, 2009 8:38 AM
> To: ext pratik datta
> Cc: Frederick Hirsch; XMLSec WG Public List
> Subject: Re: Proposal for adding AES-GCM to XML Encryption 1.1
>
> Does anyone object to adding this as optional to the XML Encryption
> 1.1 specification before Last Call?
>
> Who can review the text Pratik sent?
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On Nov 9, 2009, at 6:13 PM, ext pratik datta wrote:
>
>   
>> It will be optional.
>>
>> At this point I am not in a position to interop with this, but maybe
>> in
>> a few months.
>>
>> Pratik
>>
>> On 11/9/2009 12:25 PM, Frederick Hirsch wrote:
>>     
>>> Pratik
>>>
>>> Are you proposing we add it as an Optional or Required to implement
>>> algorithm?
>>>
>>> Who is  in a position to interop test this?
>>>
>>> regards, Frederick
>>>
>>> Frederick Hirsch, Nokia
>>> Chair XML Security WG
>>>
>>>
>>>
>>> On Nov 9, 2009, at 3:18 PM, ext pratik datta wrote:
>>>
>>>       
>>>> I am not sure how important AES-GCM is, but  we can consider
>>>> adding it
>>>> to XML Encryption 1.1.
>>>>
>>>> NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430
>>>> http://www.rfc-archive.org/getrfc.php?rfc=5430)
>>>>
>>>>
>>>>
>>>> Here is a preliminary proposal for adding AES-GCM (I had a brief
>>>> discussion about GCM with Brian in the F2F)
>>>>
>>>>
>>>> Section 5.1,  (add this to the list of algorithms.)
>>>>
>>>> http://www.w3.org/2009/xmlenc11#aes128-gcm
>>>> http://www.w3.org/2009/xmlenc11#aes256-gcm
>>>>
>>>>
>>>> Section 5.2.3 AES-GCM   (add new section)
>>>>
>>>> AES-GCM is an authenticated encryption mechanism. I.e. it is
>>>> equivalent
>>>> to doing these two operations in one step - HMAC signing followed by
>>>> AES-CBC encryption. It is very attractive from performance point of
>>>> view, because the cost of AES-GCM is similar to regular AES-CBC
>>>> encryption, yet it achieves the same result as encryption + HMAC
>>>> signing.. Also AES-GCM can be pipelined so it is amenable to
>>>> hardware
>>>> acceleration..
>>>>
>>>> Identifiers.
>>>> http://www.w3.org/2009/xmlenc11#aes128-gcm
>>>> http://www.w3.org/2009/xmlenc11#aes256-gcm
>>>>
>>>>
>>>> AES-GCM is used with a 96 bit Initialization Vector (IV), and a
>>>> 128 bit
>>>> Authentication Tag (T). The cipher text contains the IV first,
>>>> followed
>>>> by the T and then finally the encrypted octets. Decryption should
>>>> fail
>>>> if the authentication tag computed during decryption does not
>>>> match the
>>>> specified Authentication Tag.
>>>>
>>>>
>>>>
>>>>
>>>> Pratik
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>

Received on Tuesday, 10 November 2009 17:23:04 UTC