[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IV sizes for AES candidates
Steve,
No disagreement on the points you raise. It still seems like something worth
considering.
-- Jesse
-----Original Message-----
From: Steven M. Bellovin [mailto:smb@research.att.com]
Sent: Thursday, August 10, 2000 11:29 AM
To: Walker, Jesse
Cc: ipsec@lists.tislabs.com
Subject: Re: IV sizes for AES candidates
In message <392A357CE6FFD111AC3E00A0C99848B002FE990F@hdsmsx31.hd.intel.com>,
"W
alker, Jesse" writes:
>I share Helger's desire to at least consider counter mode for AES. Counter
>mode is an opportunity to gain better data privacy than CBC mode offers and
>perhaps better performance as well. The WG can fall back to CBC mode if
>scrutiny reveals counter mode is somehow inapplicable within ESP.
Counter mode appears to be one instance of a "seekable stream cipher",
per draft-mcgrew-ipsec-scesp-00.txt. As was discussed in Pittsburgh,
there are a number of limitations, including the very strong
requirement for authentication and the need for a flat-out ban on using
it with manual keying -- if you don't use IKE, there's just too much
risk of seeing two streams encrypted with the same key and counter.
--Steve Bellovin