[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IV sizes for AES candidates


No disagreement on the points you raise. It still seems like something worth

-- Jesse

-----Original Message-----
From: Steven M. Bellovin [mailto:smb@research.att.com]
Sent: Thursday, August 10, 2000 11:29 AM
To: Walker, Jesse
Cc: ipsec@lists.tislabs.com
Subject: Re: IV sizes for AES candidates 

In message <392A357CE6FFD111AC3E00A0C99848B002FE990F@hdsmsx31.hd.intel.com>,
alker, Jesse" writes:
>I share Helger's desire to at least consider counter mode for AES. Counter
>mode is an opportunity to gain better data privacy than CBC mode offers and
>perhaps better performance as well. The WG can fall back to CBC mode if
>scrutiny reveals counter mode is somehow inapplicable within ESP.

Counter mode appears to be one instance of a "seekable stream cipher", 
per draft-mcgrew-ipsec-scesp-00.txt.  As was discussed in Pittsburgh, 
there are a number of limitations, including the very strong 
requirement for authentication and the need for a flat-out ban on using 
it with manual keying -- if you don't use IKE, there's just too much 
risk of seeing two streams encrypted with the same key and counter.

		--Steve Bellovin