[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Counter Mode Security: Analysis and Recommendations
Paul,
a couple of months ago I offered to write up an analysis of counter mode
security after you had pointed out a need for this kind of overview. I've
finally wrapped it up, and put it online at
http://www.mindspring.com/~dmcgrew/ctr-security.pdf
Here's the abstract:
In this document we describe Counter Mode (CM) and its security properties,
reviewing relevant cryptographic attacks and system security aspects. This mode
is well understood and can be implemented securely. However, we show that
attacks using precomputation can be used to lower the security level of AES-128
CM below the recommended strength for ciphers if the initial counter value is
predictable. For this reason, AES-128 CM counter values should contain a 64-bit
unpredictable field. We describe how this can be easily done, and make other
implementation recommendations.