ISSUE-155: Add AES-GCM to XML Encryption 1.1
Add AES-GCM to XML Encryption 1.1
- State:
- CLOSED
- Product:
- XML Encryption 1.1
- Raised by:
- Pratik Datta
- Opened on:
- 2009-11-16
- Description:
- Consider adding AES-GCM to XML Encryption 1.1 as optional to implement algorithm.
NSA suite B requires AES-GCM as a TLS Cipher suite. (see RFC 5430 http://www.rfc-archive.org/getrfc.php?rfc=5430)
from email: http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0030.html - Related Actions Items:
- No related actions
- Related emails:
- Draft minutes 2009-12-15, please review (from frederick.hirsch@nokia.com on 2009-12-15)
- Agenda: Distributed Meeting 2009-12-15 (from frederick.hirsch@nokia.com on 2009-12-14)
- updated minutes from 17 November for approval (from frederick.hirsch@nokia.com on 2009-12-08)
- Agenda: Distributed Meeting 2009-12-08 (from frederick.hirsch@nokia.com on 2009-12-07)
- Draft minutes for 11/24 (from cantor.2@osu.edu on 2009-11-24)
- Draft minutes 2009-11-17 (from frederick.hirsch@nokia.com on 2009-11-21)
- Agenda: Distributed Meeting 2009-11-24 (from frederick.hirsch@nokia.com on 2009-11-21)
- Agenda: Distributed Meeting 2009-11-17 (from frederick.hirsch@nokia.com on 2009-11-16)
Related notes:
from email: http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0030.html
Here is a preliminary proposal for adding AES-GCM (I had a brief
discussion about GCM with Brian in the F2F)
Section 5.1, (add this to the list of algorithms.)
http://www.w3.org/2009/xmlenc11#aes128-gcm
http://www.w3.org/2009/xmlenc11#aes256-gcm
Section 5.2.3 AES-GCM (add new section)
AES-GCM is an authenticated encryption mechanism. I.e. it is equivalent
to doing these two operations in one step - HMAC signing followed by
AES-CBC encryption. It is very attractive from performance point of
view, because the cost of AES-GCM is similar to regular AES-CBC
encryption, yet it achieves the same result as encryption + HMAC
signing.. Also AES-GCM can be pipelined so it is amenable to hardware
acceleration..
Identifiers.
http://www.w3.org/2009/xmlenc11#aes128-gcm
http://www.w3.org/2009/xmlenc11#aes256-gcm
AES-GCM is used with a 96 bit Initialization Vector (IV), and a 128 bit
Authentication Tag (T). The cipher text contains the IV first, followed
by the T and then finally the encrypted octets. Decryption should fail
if the authentication tag computed during decryption does not match the
specified Authentication Tag.
----
Maybe adding a reference to, e.g. NIST SP 800-38D (there are also some details in RFC 5288 on the use of nonces and authentication tags)?
http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0036.html
----
One more thing - from the NSA Suite B docs, it appears to me that they
prefer AES-GCM mode over the AES-CBC mode, because they recommend it in TLS.
Brian/Kevin/Magnus who have looked at the NSA Suite B docs carefully can
also review this.
http://lists.w3.org/Archives/Public/public-xmlsec/2009Nov/0037.html
---
Added.
Frederick Hirsch, 8 Jan 2010, 16:38:14Display change log