Re: [Cfrg] draft-housley-ccm-mode-00.txt

Uri Blumenthal <uri@bell-labs.com> Fri, 16 August 2002 20:21 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA29992 for <cfrg-archive@odin.ietf.org>; Fri, 16 Aug 2002 16:21:54 -0400 (EDT)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id QAA25238 for cfrg-archive@odin.ietf.org; Fri, 16 Aug 2002 16:23:15 -0400 (EDT)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id QAA25176; Fri, 16 Aug 2002 16:19:31 -0400 (EDT)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id QAA25151 for <cfrg@optimus.ietf.org>; Fri, 16 Aug 2002 16:19:30 -0400 (EDT)
Received: from auemail1.firewall.lucent.com (auemail1.lucent.com [192.11.223.161]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA29906 for <cfrg@ietf.org>; Fri, 16 Aug 2002 16:18:09 -0400 (EDT)
Received: from nwmail.wh.lucent.com (h135-5-40-100.lucent.com [135.5.40.100]) by auemail1.firewall.lucent.com (Switch-2.2.2/Switch-2.2.0) with ESMTP id g7GKIwT23213 for <cfrg@ietf.org>; Fri, 16 Aug 2002 16:18:58 -0400 (EDT)
Received: by nwmail.wh.lucent.com (8.8.8+Sun/EMS-1.5 sol2) id QAA23900; Fri, 16 Aug 2002 16:18:56 -0400 (EDT)
Received: from there by nwmail.wh.lucent.com (8.8.8+Sun/EMS-1.5 sol2) id QAA23863; Fri, 16 Aug 2002 16:18:52 -0400 (EDT)
Message-Id: <200208162018.QAA23863@nwmail.wh.lucent.com>
Content-Type: text/plain; charset="iso-8859-1"
From: Uri Blumenthal <uri@bell-labs.com>
Reply-To: uri@bell-labs.com
Organization: Lucent Technologies / Bell Labs
To: "Housley, Russ" <rhousley@rsasecurity.com>, Greg Rose <ggr@qualcomm.com>
Subject: Re: [Cfrg] draft-housley-ccm-mode-00.txt
Date: Fri, 16 Aug 2002 16:15:40 -0400
X-Mailer: KMail [version 1.3.2]
Cc: cfrg@ietf.org
References: <5.1.0.14.2.20020815104520.03521ac8@exna07.securitydynamics .com> <5.1.0.14.2.20020815155506.032e8e40@exna07.securitydynamics.com>
In-Reply-To: <5.1.0.14.2.20020815155506.032e8e40@exna07.securitydynamics.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by optimus.ietf.org id QAA25152
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
X-BeenThere: cfrg@ietf.org
Content-Transfer-Encoding: 8bit

On Thursday 15 August 2002 15:59, Housley, Russ wrote:
> Greg:
> I understand the conventional wisdom that you are offering.  However,
> authenticated encryption (using a single key) has been an area of
> recent research.  IAPM, OCB, and CCM are approaches.

That conventional wisdom was based on the concept of two
independent algorithms (probably of different strength) - and
on the threat that the failure of the weaker algorithm will
compromise whatever was protected by the stronger
one - when they share the same key.

In this case it's a *combined* algorithm - a "one" thing that
happens to do both encryption and MACing. Thus I don't
think the conventional wisdom applies. In fact, for such
a mode I find it *better* to use a single key.

> Jakob Jonsson from RSA Labs has done a security proof of CCM.  While
> the proceedings are not out yet, his paper was accepted at SAC.  The
> peer reviewer did not find any problems, and I look forward to the
> broader review once the paper is readily available.

I'd like a look at that paper, if possible.

Thanks!

> At 03:52 AM 8/16/2002 +1000, Greg Rose wrote:
> >Doing the authentication and the encryption with the same key is bad
> >practice. You should take the input key, and derive from it two
> >subordinate keys, which are independent of each other as far as an
> > outside attacker can tell, then use one of them for the counter
> > mode encryption, the other for the CBC-MAC.
> >
> >regards,
> >Greg.
> >
> >At 10:55 AM 8/15/2002 -0400, Housley, Russ wrote:
> >>Dear CFRG:
> >>
> >>I would like to draw your attention to this document.  It contains
> >> a specification for an authenticated encryption mode.  It was
> >> designed fro use with AES, but, of course, it will work with any
> >> 128-bit block cipher.
> >>
> >>The authors have submitted it to NIST for consideration as a FIPS
> >>mode.  You can learn more about CCM and the other proposed modes at
> >> the NIST web site ( see
> >> http://csrc.nist.gov/encryption/modes/proposedmodes/ ).
> >>
> >>IEEE 802.11 has chosen to make CCM the mandatory to implement AES
> >> mode for wireless LAN encryption. IEEE 802.15 has also chosen CCM
> >> for use with personal area networks.  In my opinion, this success
> >> is due to the lack of a patent (or pending patent from the
> >> authors) on CCM.  I suspect that most of the members of this list
> >> are aware that other candidate authenticated encryption modes are
> >> encumbered.
> >>
> >>It is my intention to publish draft-housley-ccm-mode-00.txt as an
> >>Informational RFC.  This looks like the appropriate group to review
> >> the document.
> >>
> >>Russ
> >>
> >>_______________________________________________
> >>Cfrg mailing list
> >>Cfrg@ietf.org
> >>https://www1.ietf.org/mailman/listinfo/cfrg
> >
> >Greg Rose                                       INTERNET:
> > ggr@qualcomm.com Qualcomm Australia          VOICE:  +61-2-9817
> > 4188   FAX: +61-2-9817 5199 Level 3, 230 Victoria Road,            
> >    http://people.qualcomm.com/ggr/ Gladesville NSW 2111    232B
> > EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg

-- 
Regards,
Uri-David
-=-=-<>-=-=-
<Disclaimer>

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg