Re: [Cfrg] matching AES security
"Dan Harkins" <dharkins@lounge.org> Fri, 01 August 2014 16:21 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8301B27A6 for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 09:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3DI9IKa9nyrW for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 09:21:45 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD961A04F6 for <cfrg@irtf.org>; Fri, 1 Aug 2014 09:21:45 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id C7D3310224008; Fri, 1 Aug 2014 09:21:44 -0700 (PDT)
Received: from 199.127.104.10 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 1 Aug 2014 09:21:45 -0700 (PDT)
Message-ID: <d1df688a6a2ef663b216ddb4e0fd60cd.squirrel@www.trepanning.net>
In-Reply-To: <CAFewVt4jNUVK5PBDUoMJ0y4YzZ1e5okztV3qpT6J5aK0KmC0wg@mail.gmail.com>
References: <20140730123336.29011.qmail@cr.yp.to> <CAFewVt4jNUVK5PBDUoMJ0y4YzZ1e5okztV3qpT6J5aK0KmC0wg@mail.gmail.com>
Date: Fri, 01 Aug 2014 09:21:45 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Brian Smith <brian@briansmith.org>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/H-JJBtK2skHIV-kZkWyn_ccZtk4
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 16:21:47 -0000
On Thu, July 31, 2014 8:57 am, Brian Smith wrote: > On Wed, Jul 30, 2014 at 5:33 AM, D. J. Bernstein <djb@cr.yp.to> wrote: >> These attacks assume that the attacker sees ciphertext for, e.g., an >> all-zero block encrypted under all of the keys. Sometimes protocols >> randomize their blocks to try to stop these attacks---but putting >> complications into protocols to compensate for a cipher's deficient >> security is _not_ a smart way to design a cryptographic system. > > I agree that it would be better to not need to randomize blocks to > avoid the attacks you alluded to. However, it seems like randomizing > the blocks is often easy; for example, I think it would be pretty easy > to define AES-GCM and ChaCaa20-Poly1305 cipher suites for TLS in a way > where the initial nonce is comes from the PRF and then incremented. That's basically the SIV mode of AES (RFC 5297). Perhaps that deserves another look (I tried interesting the TLS WG in that mode ages ago). Dan.
- [Cfrg] matching AES security D. J. Bernstein
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Natanael
- Re: [Cfrg] matching AES security Tanja Lange
- Re: [Cfrg] matching AES security Paul Lambert
- Re: [Cfrg] matching AES security Benjamin Black
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Andy Lutomirski
- Re: [Cfrg] matching AES security Michael Hamburg
- Re: [Cfrg] matching AES security Sandy Harris
- Re: [Cfrg] matching AES security James Cloos
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Nico Williams
- Re: [Cfrg] matching AES security Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Johannes Merkle
- Re: [Cfrg] matching AES security Robert Moskowitz
- Re: [Cfrg] matching AES security Brian Smith
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Andrey Jivsov
- Re: [Cfrg] matching AES security Watson Ladd
- Re: [Cfrg] matching AES security Alex Elsayed
- Re: [Cfrg] matching AES security Peter Gutmann
- Re: [Cfrg] matching AES security Alyssa Rowan
- Re: [Cfrg] matching AES security Phillip Hallam-Baker
- Re: [Cfrg] matching AES security Dan Brown
- Re: [Cfrg] matching AES security Dan Harkins
- Re: [Cfrg] matching AES security Ilari Liusvaara
- Re: [Cfrg] matching AES security D. J. Bernstein