[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHA-256/384/512

To: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Subject: Re: SHA-256/384/512
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Sat, 03 Mar 2001 19:48:17 -0500
Cc: "Ipsec" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

In message <NDBBIBHFGLMFGJLIBOBMKEJLCCAA.jharwood@vesta-corp.com>, "Joseph D. H
arwood" writes:

>A related question about AES counter mode for encryption with AES-MAC for
>authentication...
>
>The slides proposed AES counter mode so data blocks could be encrypted in
>parallel (unlike CBC, which requires the results from block N before
>beginning encryption of block N+1).  If I remember correctly, MAC
>authentication would be encrypting every block via AES using some sort of
>feedback, and using the final ciphertext as the authentication data.
>Something like:
>
>Hash[n+1] = Block[n+1] ^ Encrypt(Data = Block[n+1],Key = Hash[n])
>AES-MAC == Hash[Last Block]
>
>This means AES-MAC for authentication would have a similar performance to
>AES-CBC for encryption, so there wouldn't be an overall performance
>advantage in using AES counter mode with parallel hardware for encryption.
>Is this correct?

Yes -- I raised precisely this objection to counter mode, both at the
IPsec wg meeting and at the NIST Modes of Operation workshop.

		--Steve Bellovin, http://www.research.att.com/~smb

Follow-Ups:

Re: SHA-256/384/512

From: "David A. McGrew" <mcgrew@cisco.com>

Prev by Date: RE: SHA-256/384/512
Next by Date: Re: SHA-256/384/512
Prev by thread: RE: SHA-256/384/512
Next by thread: Re: SHA-256/384/512
Index(es):
- Main
- Thread