IETF Logo Mail Archive

Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data

Russ Housley <housley@vigilsec.com> Tue, 17 May 2016 15:20 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C164112D9A1 for <cfrg@ietfa.amsl.com>; Tue, 17 May 2016 08:20:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2hQFS7beM4M for <cfrg@ietfa.amsl.com>; Tue, 17 May 2016 08:20:15 -0700 (PDT)
Received: from mail.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id BA45A12D986 for <cfrg@irtf.org>; Tue, 17 May 2016 08:20:10 -0700 (PDT)
Received: from localhost (ronin.smetech.net [209.135.209.5]) by mail.smetech.net (Postfix) with ESMTP id 76EDCF24062; Tue, 17 May 2016 11:20:10 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from mail.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id G8-+IjFcrdbF; Tue, 17 May 2016 11:02:59 -0400 (EDT)
Received: from [10.189.52.232] (unknown [192.54.222.12]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.smetech.net (Postfix) with ESMTP id B27E1F24013; Tue, 17 May 2016 11:20:09 -0400 (EDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_5CB2B0EA-A970-4541-A6D2-D6F455F0B2F4"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <573B34DC.9080103@cs.tcd.ie>
Date: Tue, 17 May 2016 11:19:48 -0400
Message-Id: <FA8C1D26-AF94-427E-942F-DA0D8A5C73A3@vigilsec.com>
References: <D35F6F11.93C3E%paul@marvell.com> <297966AA-C7E0-4C3B-BA56-8D61D7824D66@vigilsec.com> <D35F843A.93C91%paul@marvell.com> <89A44D23-D8A2-4A2F-A94E-6A362FC195C7@vigilsec.com> <573B24ED.70708@cs.tcd.ie> <00A212BA-E86D-4DF5-8987-FA1DF046B634@vigilsec.com> <573B34DC.9080103@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/1Rs9gPO6OztMt2_qU5Fwrh1FgCM>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 15:20:24 -0000

Stephen:

>>> On 17/05/16 14:50, Russ Housley wrote:
>>>> I do not speak for NSA.  However, NSA only uses algorithms and
>>>> modes that are FIPS-approved.  AES-SIV does not meet that
>>>> requirement.  If that happens in the future, then the direction
>>>> might change.
>>> 
>>> I don't speak for anyone:-)
>>> 
>>> I strongly believe that holding off from making improvements of the
>>> basis of FIPS approval/certification is a really bad idea. If a
>>> case can be made that the suggested change is less good or no
>>> better than the FIPS approved/certified thing, then that is a
>>> debate worth having, but waving the FIPS flag is not itself IMO a
>>> good counter argument to a claim that some change is an
>>> improvement.
>> 
>> Your comments are beyond the context of the question at the front of
>> this thread.
>> 
>> This thread was about a particular set of IEEE 802.11 ballot
>> comments: 
>> https://mentor.ieee.org/802.11/dcn/16/11-16-0596-01-00ai-more-counters.docx
> 
> Actually, I think my comments are relevant.
> 
> All IMO of course, but if IEEE decided to use AES-GCM and not
> SIV on sound technical bases, that's fine. If however, IEEE
> decided to use AES-GCM and not SIV solely or mostly due to the
> FIPS argument, that's bad.
> 
> Earlier up-thread, the comment was made that FIPS approval is
> a reason to go with GCM here and not SIV. I'm saying that's a
> bad argument unless both schemes are otherwise the same in terms
> of interesting technical properties.
> 
>> 
>> 
>>> And I'd be disappointed if an international organisation of any
>>> kind did accept that kind of flag waving.
>> 
>> I guess that you are disappointed.  I understand that AES-SIV was
>> selected over AES-GCM.
> 
> That's the opposite of what Peter's submission (in the URL above)
> is suggesting. Has that been decided or is it still in play? Peter's
> suggested change back to GCM is dated May 15th so I guessed that that
> is still in progress.

My understanding is that the task group rejected the proposed changes yesterday.

Russ

v2.23.0 | Report a Bug | By Email