[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: counter mode

To: Helger Lipmaa <helger@tml.hut.fi>
Subject: Re: counter mode
From: Stephen Kent <kent@bbn.com>
Date: Tue, 3 Oct 2000 14:32:45 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <Pine.GSO.4.21.0010031602280.3448-100000@morphine.tml.hut.fi>
References: <Pine.GSO.4.21.0010031602280.3448-100000@morphine.tml.hut.fi>
Sender: owner-ipsec@lists.tislabs.com

Helger,

>A submission of me, Phil Rogaway and David Wagner to the AES Symmetric Key
>Encryption Modes workshop is available from
>http://www.tml.hut.fi/~helger/papers/lrw00.
>
>There has been quite a lot of discussions and misunderstandings concerning
>this mode. We tried to outline why most of the perceived disadvantages are
>not valid. We also proposed the next somewhat foolproof usage scenario:
>sender keeps a N-bit nonce that he increases at every packet transmission.
>The actual counter is computed as
>
>       N-bit nonce || 128-N bit block counter
>
>N=64 makes the most sense security-wise; in standard IPSEC context one
>could use N=32, where nonce = sequence number.
>
>So let's hope counter mode will be accepted as standard. I know that many
>people (also here) would love to incorporate it in their products.

I have some trouble reconciling your suggestion above with the 
proposal in the workshop paper. That paper seems to suggest a 64 bit 
counter value, followed by 64 zero bits, to form a 128-bit counter. 
Above, you seem to suggest a 32-bit counter transmitted with each 
packet, taken from the sequence number field, and a 96-bit block 
counter. You don't indicate whether this latter counter is purely 
intra-packet, or whether it is stateful for all packets received on 
an SA.

The pipelining that is an attraction of counter mode can be effected 
so long as there is a part of the counter that generates enough key 
stream to
cover the largest single packet, measured in the block size of the 
cipher. That part of the counter is purely internal to the endpoints 
and need not be transmitted, and thus need not waste any space in an 
encrypted packet. For example, 16 bits of counter are more than 
sufficient to cover a max size IP datagram, using an 8 or 16 byte 
codebook. If this value is purely intra-packet, then there is no need 
to maintain state for it at sender or receiver, right? That's why I 
raise the question about the size of the block counter above, and ask 
whether it is stateful. I get the feeling (in part from your paper) 
that you might view this latter value as stateful, but that seems to 
add unnecessary complexity to each end.

The 32-bit per-packet counter one gets from the ESP sequence number 
is nominally big enough for IPsec use of this mode, since we don't 
allow the counter to cycle, and the creation of a new SA with a new 
key avoids compromise in depth concerns. But, if we want to, one 
could carry additional counter bits or even an explicit IV, just as 
we do for CBC mode today (so long as there is confidence that the IV 
will be unique on a per SA basis).

Using the lengths of these field values, and if one needs a 128-bit 
counter value for AES the format might look like this:

	IV or high order cntr bits || ESP seq # || intra-packet cntr || zeros

The IV or high order counter bits could be as few as 2 or as many as 
8 bytes (we already accommodate 8-byte IVs for CBC), leaving the zero 
field to be 2-8 bytes. The use of a purely intra-packet counter 
allows all the performance benefits one wants from counter mode, but 
without devoting any per-packet space to carry the bits.

Steve

Follow-Ups:

Re: counter mode

From: Helger Lipmaa <helger@tml.hut.fi>

Re: counter mode

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

counter mode

From: Helger Lipmaa <helger@tml.hut.fi>

Prev by Date: Re: Rijndael selected as AES
Next by Date: Re: Rijndael selected as AES
Prev by thread: counter mode
Next by thread: Re: counter mode
Index(es):
- Main
- Thread