[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Counter Mode Security: Analysis and Recommendations



Stephen Kent wrote:
> Ted,
> I concur with your analysis re the storage requirements for this
> attack, and how daunting they seem. This strikes me as the sort of
> attack that I would protect against if it cost almost nothing, but as
> we see, it does have a cost, 

Stephen, I'd think that (a) it's worth to protect against this
kind of attack, and (b) the modification should be not in adding
key bits or extra rounds -  but by adding *some* "salt" to the IV.

Exactly how many bits, where and why - To Be Defined. There's
work underway to provide a more quantative analysis (D.McGrew
can comment on this part better.)


> .............e.g., in terms of extra storage for
> additional per-SA state for the added bits, or in terms of using
> bigger AES keys, with attendant increases in the number of rounds and
> the key state size.

I can't perceive a few extra bits per SA as real cost. Not really.

> Also there are costs to vendors in supporting the
> additional key sizes and numbers of rounds. At a time when we are
> trying to simplify IPsec and IKE, this seem to be heading in the
> wrong direction.

Yes I agree - this would be heading in the wrong direction.

 
> Steve