[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Counter Mode Security: Analysis and Recommendations

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: Counter Mode Security: Analysis and Recommendations
From: Stephen Kent <kent@bbn.com>
Date: Thu, 21 Nov 2002 09:52:54 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <20021121024845.GA792@think.thunk.org>
References: <51C7002B020CD411824E009027C469F7DD337C@cldxch01.hifn.com><20021121024845.GA792@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

Ted,

I concur with your analysis re the storage requirements for this 
attack, and how daunting they seem. This strikes me as the sort of 
attack that I would protect against if it cost almost nothing, but as 
we see, it does have a cost, e.g., in terms of extra storage for 
additional per-SA state for the added bits, or in terms of using 
bigger AES keys, with attendant increases in the number of rounds and 
the key state size. Also there are costs to vendors in supporting the 
additional key sizes and numbers of rounds. At a time when we are 
trying to simplify IPsec and IKE, this seem to be heading in the 
wrong direction.

Steve

Follow-Ups:
- Re: Counter Mode Security: Analysis and Recommendations
  - From: Paul Koning <pkoning@equallogic.com>
- Re: Counter Mode Security: Analysis and Recommendations
  - From: Uri Blumenthal <uri@bell-labs.com>

References:
- RE: Counter Mode Security: Analysis and Recommendations
  - From: Bob Doud <BDoud@hifn.com>
- Re: Counter Mode Security: Analysis and Recommendations
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: SPD policy document/article
Prev by thread: Re: Counter Mode Security: Analysis and Recommendations
Next by thread: Re: Counter Mode Security: Analysis and Recommendations
Index(es):
- Date
- Thread