ISSUE-155: Add AES-GCM to XML Encryption 1.1

Add AES-GCM to XML Encryption 1.1

State:
CLOSED
Product:
XML Encryption 1.1
Raised by:
Pratik Datta
Opened on:
2009-11-16
Description:
Consider adding AES-GCM to XML Encryption 1.1 as optional to implement algorithm.

NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430 http://www.rfc-archive.org/getrfc.php?rfc=5430)

from email: http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0030.html
Related Actions Items:
No related actions
Related emails:
  1. Draft minutes 2009-12-15, please review (from frederick.hirsch@nokia.com on 2009-12-15)
  2. Agenda: Distributed Meeting 2009-12-15 (from frederick.hirsch@nokia.com on 2009-12-14)
  3. updated minutes from 17 November for approval (from frederick.hirsch@nokia.com on 2009-12-08)
  4. Agenda: Distributed Meeting 2009-12-08 (from frederick.hirsch@nokia.com on 2009-12-07)
  5. Draft minutes for 11/24 (from cantor.2@osu.edu on 2009-11-24)
  6. Draft minutes 2009-11-17 (from frederick.hirsch@nokia.com on 2009-11-21)
  7. Agenda: Distributed Meeting 2009-11-24 (from frederick.hirsch@nokia.com on 2009-11-21)
  8. Agenda: Distributed Meeting 2009-11-17 (from frederick.hirsch@nokia.com on 2009-11-16)

Related notes:

from email: http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0030.html

Here is a preliminary proposal for adding AES-GCM (I had a brief
discussion about GCM with Brian in the F2F)


Section 5.1, (add this to the list of algorithms.)

http://www.w3.org/2009/xmlenc11#aes128-gcm
http://www.w3.org/2009/xmlenc11#aes256-gcm


Section 5.2.3 AES-GCM (add new section)

AES-GCM is an authenticated encryption mechanism. I.e. it is equivalent
to doing these two operations in one step - HMAC signing followed by
AES-CBC encryption. It is very attractive from performance point of
view, because the cost of AES-GCM is similar to regular AES-CBC
encryption, yet it achieves the same result as encryption + HMAC
signing.. Also AES-GCM can be pipelined so it is amenable to hardware
acceleration..

Identifiers.
http://www.w3.org/2009/xmlenc11#aes128-gcm
http://www.w3.org/2009/xmlenc11#aes256-gcm


AES-GCM is used with a 96 bit Initialization Vector (IV), and a 128 bit
Authentication Tag (T). The cipher text contains the IV first, followed
by the T and then finally the encrypted octets. Decryption should fail
if the authentication tag computed during decryption does not match the
specified Authentication Tag.

----
Maybe adding a reference to, e.g. NIST SP 800-38D (there are also some details in RFC 5288 on the use of nonces and authentication tags)?

http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0036.html
----
One more thing - from the NSA Suite B docs, it appears to me that they
prefer AES-GCM mode over the AES-CBC mode, because they recommend it in TLS.
Brian/Kevin/Magnus who have looked at the NSA Suite B docs carefully can
also review this.

http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0037.html
---

Frederick Hirsch, 16 Nov 2009, 15:49:24

Added.

Frederick Hirsch, 8 Jan 2010, 16:38:14

Display change log ATOM feed


Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 155.html,v 1.1 2017/01/10 16:24:44 carine Exp $