[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Counter Mode Security: Analysis and Recommendations
>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
Stephen> Ted, I concur with your analysis re the storage requirements
Stephen> for this attack, and how daunting they seem. This strikes me
Stephen> as the sort of attack that I would protect against if it
Stephen> cost almost nothing, but as we see, it does have a cost,
Stephen> e.g., in terms of extra storage for additional per-SA state
Stephen> for the added bits, or in terms of using bigger AES keys,
Stephen> with attendant increases in the number of rounds and the key
Stephen> state size. Also there are costs to vendors in supporting
Stephen> the additional key sizes and numbers of rounds.
Agreed on increasing key sizes. But I don't agree for the case where
128-bit keys and a 64-bit random number are used. Yes, that increases
the per-SA state by 8 bytes. And yes, that cost is "almost nothing".
paul