[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SHA-256/384/512

To: <smb@research.att.com>
Subject: RE: SHA-256/384/512
From: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Date: Sat, 3 Mar 2001 09:29:39 -0800
Cc: "Ipsec" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <20010303020649.E844435C42@berkshire.research.att.com>
Sender: owner-ipsec@lists.tislabs.com

Thanks for your feedback.

A related question about AES counter mode for encryption with AES-MAC for
authentication...

The slides proposed AES counter mode so data blocks could be encrypted in
parallel (unlike CBC, which requires the results from block N before
beginning encryption of block N+1).  If I remember correctly, MAC
authentication would be encrypting every block via AES using some sort of
feedback, and using the final ciphertext as the authentication data.
Something like:

Hash[n+1] = Block[n+1] ^ Encrypt(Data = Block[n+1],Key = Hash[n])
AES-MAC == Hash[Last Block]

This means AES-MAC for authentication would have a similar performance to
AES-CBC for encryption, so there wouldn't be an overall performance
advantage in using AES counter mode with parallel hardware for encryption.
Is this correct?

Best Regards,
Joseph D. Harwood
jharwood@vesta-corp.com
www.vesta-corp.com

> -----Original Message-----
> From: smb@research.att.com [mailto:smb@research.att.com]
> Sent: Friday, March 02, 2001 6:07 PM
> To: Joseph D. Harwood
> Cc: Ipsec
> Subject: Re: SHA-256/384/512
>
>
> In message
> <NDBBIBHFGLMFGJLIBOBMIEJICCAA.jharwood@vesta-corp.com>, "Joseph D. H
> arwood" writes:
> >This is a multi-part message in MIME format.
> >
> >------=_NextPart_000_0016_01C0A342.630F73E0
> >Content-Type: text/plain;
> >	charset="iso-8859-1"
> >Content-Transfer-Encoding: 7bit
> >
> >In looking over Steve Kent's slides from the IPsec working group
> meeting on
> >"IPsec Enhancements for High Speed Networks," it discusses only
> AES-MAC for
> >authentication.  Does this mean HMAC-SHA256 (/384/512) are not being
> >considered?
> >
> At the moment, it's easier to build very fast hardware encryptors than
> very fast hardware SHA chips.  No one is deprecating HMAC; it's just
> that it's not the best choice for very high speed nets.
>
>
> 		--Steve Bellovin, http://www.research.att.com/~smb
>
>
>

BEGIN:VCARD
VERSION:2.1
N:Harwood;Joseph;D.
FN:Joseph D. Harwood
ORG:Vesta Corporation
ADR;WORK:;(408) 838-9434;5201 Great America Parkway, Suite 320;Santa Clara;CA;95054
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:(408) 838-9434=0D=0A5201 Great America Parkway, Suite 320=0D=0ASanta Clara, =
CA 95054
URL:
URL:http://www.vesta-corp.com
EMAIL;PREF;INTERNET:jharwood@vesta-corp.com
REV:20001011T162328Z
END:VCARD

References:

Re: SHA-256/384/512

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: IPSec Provisioning Tools
Next by Date: Re: SHA-256/384/512
Prev by thread: Re: SHA-256/384/512
Next by thread: Re: SHA-256/384/512
Index(es):
- Main
- Thread