Re: IV sizes for AES candidates

["Steven M. Bellovin" <smb@research.att.com>]

In message <392A357CE6FFD111AC3E00A0C99848B002FE990F@hdsmsx31.hd.intel.com>, "W
alker, Jesse" writes:
>I share Helger's desire to at least consider counter mode for AES. Counter
>mode is an opportunity to gain better data privacy than CBC mode offers and
>perhaps better performance as well. The WG can fall back to CBC mode if
>scrutiny reveals counter mode is somehow inapplicable within ESP.

Counter mode appears to be one instance of a "seekable stream cipher", 
per draft-mcgrew-ipsec-scesp-00.txt.  As was discussed in Pittsburgh, 
there are a number of limitations, including the very strong 
requirement for authentication and the need for a flat-out ban on using 
it with manual keying -- if you don't use IKE, there's just too much 
risk of seeing two streams encrypted with the same key and counter.

		--Steve Bellovin

---

Follow-Ups:

• Re: IV sizes for AES candidates
• From: "Theodore Y. Ts'o" <tytso@mit.edu>

---

• Prev by Date: Re: Heartbeats Straw Poll
• Next by Date: RE: IV sizes for AES candidates
• Prev by thread: RE: IV sizes for AES candidates
• Next by thread: Re: IV sizes for AES candidates
• Index(es):
  • Main
  • Thread