[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
At 7:03 AM -0400 8/23/02, Waterhouse, Richard wrote:
>Michael Richardson wrote
>
>> Anyone who *needs* AES-CTR mode, likely needs it because they have >1Gb/s
>> links they want to secure. As such, I think that they have the bandwidth
>> not
>> to care.
>>
> >>> There is another application area that can benefit from CTR
>mode. CTR doesn't do error extension. If you are working in a noisy
>environment, have an application that can tolerate errors (but still don't
>want a bit error to multiply), need confidentiality but can do without
>authentication (e.g., you assure through other means that the plaintext is
>inaccessible), CTR would be an appropriate choice. (Yes I know this violates
>a MUST in the current draft, but that MUST leaves the developer without a
>mode appropriate for use in noisy environments.)
Richard,
There are other modes that offer no error extension as well, but at
lower performance. OFB has been around for 20+ years.
But, as you noted, there is a strong sentiment in thw WG against
using crypto modes that offer no integrity support, while also not
using an explicit integrity mechanism, because of attacks that can
undermine confidentiality.
Steve