RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt

[Scott Fluhrer <sfluhrer@cisco.com>]

At 07:55 AM 8/13/2002, Housley, Russ wrote:
>>[David]
>>To be precise, using a 192-bit AES key rather than a 64-bit 'secret 
>>counter component'
>>does not provide more security.  This is because precomputation attacks are
>>foiled equally well by either method, and the security level of a
>>cryptosystem is determined by the minimum effective attack.  A 192-bit AES
>>key does potentially provide protection against more types of attacks, of
>>course.
>
>It seems to me that the inclusion of a public value that cannot be 
>predicted by the attacker provides the same protection against 
>precomputation attacks.  That is the reason that the truncated SPI is 
>included in the counter block in the current document.

Just one obvious comment: if the security analysis of 
draft-ietf-ipsec-ciph-aes-ctr-00.txt was done under the assumption that 
(truncated) SPIs are unpredictable (or at least nonconstant), the draft 
should explicitly require that the (truncated) SPIs be unpredictable (or at 
least nonconstant).  Currently, RFC2401, 2406 impose no such requirement on 
an implementation.

--
scott