[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: a lengthy analysis of counter mode and ESP

To: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
Subject: RE: a lengthy analysis of counter mode and ESP
From: Chris Trobridge <CTrobridge@baltimore.com>
Date: Thu, 22 Aug 2002 16:13:24 +0100
Sender: owner-ipsec@lists.tislabs.com

I had a look at the paper and, assuming I interpreted it correctly, the gist of it is that you can differentiate between counter-mode key stream and a purely random sequence because a counter-mode key doesn't exhibit the birthday paradox. This assumes that you have a counter-mode oracle that can provide the key stream. Does anyone have any idea of the signficance of this property? Chris -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: 16 August 2002 19:23 To: ipsec@lists.tislabs.com Subject: a lengthy analysis of counter mode and ESP We have been discussing how to make use of AES in counter mode with ESP. Several folks have told me that the discussion is not generally understandable, because of the many subtle issues involved and because when the discussion moved to the general IPsec list, from the design team list, we failed to do an adequate job of establishing context. So, this very lengthy message is an attempt to provide background and a more thorough discussion of the various technical issues associated with this complex topic. Hopefully, the WG as a whole will better understand the issues and be better positioned to make choices as a result of this analysis. Steve ---------- To put this issue in perspective, the current ID warns implementers against generating keystream for more than 2^64 blocks (not packets), even though we do not know of any specific vulnerabilities that could be exploited if this limit is exceeded. Yet we understand precisely what attacks could result if keystream is reused. Thus it makes sense to adopt approaches to keystream management that do not make it harder to do this task in a very secure fashion. ----------------------------------------------------------------------------------------------------------------- The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. This footnote confirms that this email message has been swept for Content Security threats, including computer viruses. http://www.baltimore.com

Prev by Date: RE: Son of Ike status
Next by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: Re: a lengthy analysis of counter mode and ESP
Next by thread: Wireless Security workshop -- advance registration deadline soon
Index(es):
- Date
- Thread