RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt

["Housley, Russ" <rhousley@rsasecurity.com>]

[Klaus]
> > yes, I agree with you, I can not see any reason to use an external IV for
> > AES CTR if algorithms easy can be defined for internal building of IV's 
> with
> > ESP sequence number and SPI. The only cryptographic requirement for the
> > sequence of IV's is, that all the counter values, derived from all the IV's
> > over all the ESP packets, transformed by AES, are different as long as one
> > fixed key is used.

[David]
>that's right.  Additionally, some additional strength against attacks which
>rely on precomputation of a database to use during the attack stage can be
>gained by having the part of the counter be secret.

We have discussed the inclusion of a secret component in the counter.  It 
complicates the key management by requiring an additional secret value to 
be managed.  If one is concerned about this type of dictionary attack, the 
use of a longer AES key provides more protection without imposing 
additional requirements on key management.

Russ