Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data
"Dan Harkins" <dharkins@lounge.org> Tue, 17 May 2016 00:30 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 478D912B01C for <cfrg@ietfa.amsl.com>; Mon, 16 May 2016 17:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hT_7N1QMI_Vc for <cfrg@ietfa.amsl.com>; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id E210B12D143 for <cfrg@irtf.org>; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 1D11D1FE01F2; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Received: from 66.91.144.21 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Message-ID: <c2e1d0f562d065a6f4d2052607a46280.squirrel@www.trepanning.net>
In-Reply-To: <297966AA-C7E0-4C3B-BA56-8D61D7824D66@vigilsec.com>
References: <D35F6F11.93C3E%paul@marvell.com> <297966AA-C7E0-4C3B-BA56-8D61D7824D66@vigilsec.com>
Date: Mon, 16 May 2016 17:30:36 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Russ Housley <housley@vigilsec.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/BrjJkeUhK2_Wbs-f8YFQ5NbAz5Y>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 00:30:38 -0000
On Mon, May 16, 2016 1:56 pm, Russ Housley wrote: > > On May 16, 2016, at 3:35 PM, Paul Lambert <paul@marvell.com> wrote: > >> I would think that nonce/counter misuse protection would be an advantage >> for this type of application. > > I do not see how. There is a fresh key-encryption key for each wrap. > Where can the counter be reused. The application isn't really key wrapping, it's protection of some handshaking messages for an authentication protocol. The resulting security association is a bit longer-lived so subsequent packets for on-going maintenance of the SA-- like rekeying traffic keys-- would use the same (now "unfresh") key. Parts of the packet get encrypted and the whole thing gets authentication. So instead of doing an ad hoc construction of cipher (in CBC mode, or CTR mode, or ...) and MAC (HMAC-SHAXYZ) and making sure the order is right it's easier to use a provably secure construction that does authenticated encryption with AAD. Using one that doesn't require any kind of additional nonce to be contributed is more attractive. Robust misuse resistance is a virtue for a thing like this. regards, Dan. > Russ > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] AES-SIV versus AES-GCM for Encrypted Key D… Paul Lambert
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Russ Housley
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Paul Lambert
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Yoav Nir
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Paul Lambert
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Dan Harkins
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Russ Housley
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Russ Housley
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Russ Housley
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Stephen Farrell
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Russ Housley
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Stephen Farrell
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Russ Housley
- Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted K… Stephen Farrell