[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IV sizes for AES candidates
In message <392A357CE6FFD111AC3E00A0C99848B002FE990F@hdsmsx31.hd.intel.com>, "W
alker, Jesse" writes:
>I share Helger's desire to at least consider counter mode for AES. Counter
>mode is an opportunity to gain better data privacy than CBC mode offers and
>perhaps better performance as well. The WG can fall back to CBC mode if
>scrutiny reveals counter mode is somehow inapplicable within ESP.
Counter mode appears to be one instance of a "seekable stream cipher",
per draft-mcgrew-ipsec-scesp-00.txt. As was discussed in Pittsburgh,
there are a number of limitations, including the very strong
requirement for authentication and the need for a flat-out ban on using
it with manual keying -- if you don't use IKE, there's just too much
risk of seeing two streams encrypted with the same key and counter.
--Steve Bellovin
Follow-Ups: