RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt

[Stephen Kent <kent@bbn.com>]

At 7:03 AM -0400 8/23/02, Waterhouse, Richard wrote:
>Michael Richardson wrote
>
>>  Anyone who *needs* AES-CTR mode, likely needs it because they have >1Gb/s
>>  links they want to secure. As such, I think that they have the bandwidth
>>  not
>>  to care.
>>
>	>>> There is another application area that can benefit from CTR
>mode. CTR doesn't do error extension. If you are working in a noisy
>environment, have an application that can tolerate errors (but still don't
>want a bit error to multiply), need confidentiality but can do without
>authentication (e.g., you assure through other means that the plaintext is
>inaccessible), CTR would be an appropriate choice. (Yes I know this violates
>a MUST in the current draft, but that MUST leaves the developer without a
>mode appropriate for use in noisy environments.)

Richard,

There are other modes that offer no error extension as well, but at 
lower performance. OFB has been around for 20+ years.

But, as you noted, there is a strong sentiment in thw WG against 
using crypto modes that offer no integrity support, while also not 
using an explicit integrity mechanism, because of attacks that can 
undermine confidentiality.

Steve