[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IV sizes for AES candidates

I share Helger's desire to at least consider counter mode for AES. Counter
mode is an opportunity to gain better data privacy than CBC mode offers and
perhaps better performance as well. The WG can fall back to CBC mode if
scrutiny reveals counter mode is somehow inapplicable within ESP.

-- Jesse

-----Original Message-----
From: Helger Lipmaa [mailto:helger@tml.hut.fi]
Sent: Thursday, August 10, 2000 7:32 AM
To: Sheila Frankel
Cc: Steven M. Bellovin; ipsec@lists.tislabs.com
Subject: Re: IV sizes for AES candidates 

On Tue, 8 Aug 2000, Sheila Frankel wrote:

> If the consensus of the group is that we should stick with the
> tried-and-true  CBC mode, that's fine with us, and the next version of the
> draft will reflect that.

No!!! This is NOT the consensus. At least the counter mode should also
being reconsidered as a standard.

[Somewhere in spring I announced that a draft, coauthored by me and Phil
Rogaway, on counter mode was in works. Unfortunately, by many obstacles it
is still in works, but it will be ready during this month!]

> The only keysize required by the draft is 128 bits; the others are
> optional. We are interested in comments from the list - should the other
> key sizes be mentioned at all? any other comments on the "IKE
> section?

Other key sizes have no practical benefit at this moment.

> By the way, has anyone else implemented any of the AES candidates in IPsec
> and/or IKE?

I've implemented all AES candidates, but not in context of IPSec.