[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHA-256/384/512

To: "Steven M. Bellovin" <smb@research.att.com>
Subject: Re: SHA-256/384/512
From: "David A. McGrew" <mcgrew@cisco.com>
Date: Mon, 05 Mar 2001 15:34:11 -0500
CC: "Joseph D. Harwood" <jharwood@vesta-corp.com>, Ipsec <ipsec@lists.tislabs.com>
References: <20010304004818.EE66535C44@berkshire.research.att.com>
Sender: owner-ipsec@lists.tislabs.com

Steve,

"Steven M. Bellovin" wrote:
> 
> In message <NDBBIBHFGLMFGJLIBOBMKEJLCCAA.jharwood@vesta-corp.com>, "Joseph D. H
> arwood" writes:
> 
> >A related question about AES counter mode for encryption with AES-MAC for
> >authentication...
> >
> >The slides proposed AES counter mode so data blocks could be encrypted in
> >parallel (unlike CBC, which requires the results from block N before
> >beginning encryption of block N+1).  If I remember correctly, MAC
> >authentication would be encrypting every block via AES using some sort of
> >feedback, and using the final ciphertext as the authentication data.
> >Something like:
> >
> >Hash[n+1] = Block[n+1] ^ Encrypt(Data = Block[n+1],Key = Hash[n])
> >AES-MAC == Hash[Last Block]
> >
> >This means AES-MAC for authentication would have a similar performance to
> >AES-CBC for encryption, so there wouldn't be an overall performance
> >advantage in using AES counter mode with parallel hardware for encryption.
> >Is this correct?
> 
> Yes -- I raised precisely this objection to counter mode, both at the
> IPsec wg meeting and at the NIST Modes of Operation workshop.
> 
>                 --Steve Bellovin, http://www.research.att.com/~smb

I agree that current message authentication methods are the bottleneck in this
scenario.  However, I don't agree with the inference that counter mode is not
worthwhile, as faster, paralellizable authentication methods exist and are
easily adaptable to ESP.  Of course, it remains to agree which of those methods
is worthwhile and produce a spec. 

IIRC, the other objection to CM that you raised was that the lack of an explicit
IV makes CM vulnerable if the same key is used within multiple SAs.  While this
is clearly an important caveat for CM, proper key management would prevent this
from happening.  There would need to be a series of failures for this to happen
with IKE, for example.  IMHO, the lower encapsulation overhead that is
achievable with CM is one of the advantages of having real key management.

David
mcgrew@cisco.com

References:

Re: SHA-256/384/512

From: "Steven M. Bellovin" <smb@research.att.com>

Prev by Date: Re: SHA-256/384/512
Next by Date: Re: SHA-256/384/512
Prev by thread: Re: SHA-256/384/512
Next by thread: Re: SHA-256/384/512
Index(es):
- Main
- Thread