[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IV sizes for AES candidates

In message <392A357CE6FFD111AC3E00A0C99848B002FE990F@hdsmsx31.hd.intel.com>, "W
alker, Jesse" writes:
>I share Helger's desire to at least consider counter mode for AES. Counter
>mode is an opportunity to gain better data privacy than CBC mode offers and
>perhaps better performance as well. The WG can fall back to CBC mode if
>scrutiny reveals counter mode is somehow inapplicable within ESP.

Counter mode appears to be one instance of a "seekable stream cipher", 
per draft-mcgrew-ipsec-scesp-00.txt.  As was discussed in Pittsburgh, 
there are a number of limitations, including the very strong 
requirement for authentication and the need for a flat-out ban on using 
it with manual keying -- if you don't use IKE, there's just too much 
risk of seeing two streams encrypted with the same key and counter.

		--Steve Bellovin