IETF Logo Mail Archive

Re: [Cfrg] new authenticated encryption draft

David McGrew <mcgrew@cisco.com> Wed, 11 October 2006 22:20 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GXmQz-0000t7-SJ; Wed, 11 Oct 2006 18:20:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GXmQz-0000rL-EL for cfrg@ietf.org; Wed, 11 Oct 2006 18:20:17 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GXmQy-0007OU-1y for cfrg@ietf.org; Wed, 11 Oct 2006 18:20:17 -0400
Received: from sj-dkim-8.cisco.com ([171.68.10.93]) by sj-iport-5.cisco.com with ESMTP; 11 Oct 2006 15:20:15 -0700
X-IronPort-AV: i="4.09,295,1157353200"; d="scan'208"; a="330695584:sNHT60185860"
Received: from sj-core-3.cisco.com (sj-core-3.cisco.com [171.68.223.137]) by sj-dkim-8.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k9BMKFtK024115; Wed, 11 Oct 2006 15:20:15 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id k9BMK6bN015667; Wed, 11 Oct 2006 15:20:15 -0700 (PDT)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 11 Oct 2006 15:20:14 -0700
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 11 Oct 2006 15:20:13 -0700
In-Reply-To: <f207274d0609301458j263c247l63ccc379bfd0bda@mail.gmail.com>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <p06230910c10e98a55c4c@10.30.1.9> <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com> <3D640F53-58F3-4AE4-AEFC-145BBD9BC9A0@cisco.com> <f207274d0609011652m3bb76587xdd6cd9e1d3140e63@mail.gmail.com> <7BA4156B-14B4-4BB1-BEAD-2237F5B3834D@cisco.com> <f207274d0609111132w655f9b7er2e55c20e67973da5@mail.gmail.com> <1C7CA0AE-3BCC-437B-891F-0D2831BFBFBC@cisco.com> <f207274d0609141837m28cf6400v7cc1a643275f8beb@mail.gmail.com> <89EA334C-4D0C-4DD4-847E-D639E064187D@cisco.com> <f207274d0609301458j263c247l63ccc379bfd0bda@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <F7506B7E-452B-482D-BE50-6521C9B1042A@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Wed, 11 Oct 2006 15:20:11 -0700
To: John Wilkinson <wilkjohn@gmail.com>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 11 Oct 2006 22:20:14.0446 (UTC) FILETIME=[6C8F30E0:01C6ED83]
DKIM-Signature: a=rsa-sha1; q=dns; l=2795; t=1160605215; x=1161469215; c=relaxed/relaxed; s=sjdkim8002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20new=20authenticated=20encryption=20draft; X=v=3Dcisco.com=3B=20h=3DbEwS0oJgdOC6R0v1cvsFzhF5aNU=3D; b=jfm2dr62upDcY4K3a/44Zeu9cMxiRSdR/JaFBPWRcgkfQoIXfHuZJOXSQAIOwdsc20y4cvFc OsuZ1/3ogEGQ0MQ6e1VoAm8iACUVuV9rO10zzjJAR9AKD4kADl3Hoers;
Authentication-Results: sj-dkim-8.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Hi John,

On Sep 30, 2006, at 2:58 PM, John Wilkinson wrote:

> David,
>
> Sorry for my delayed response. I've been on business travel lately. I
> think you've got a lot of good comments from other people, and I we
> understand each others' positions, so I'll wrap up here.
>
> On 9/15/06, David McGrew <mcgrew@cisco.com> wrote:
>> Hi John,
>>
>> On Sep 14, 2006, at 6:37 PM, John Wilkinson wrote:
>>
>> > David,
>> >
>> > Can you point me to an existing randomized AEAD specification that
>> > might have a more detailed rationale its randomness?
>>
>> EAX, for one.  It was an explicit design goal for that mode.
>
> I believe that EAX would be classified as "deterministic" under your
> terms, not as "random". EAX takes a nonce, message, and header, and
> deterministically produces a ciphertext (which includes both the
> unencrypted header and authentication tag). Given the same inputs
> (including nonce), EAX always produces the same ciphertext. Prof.
> Wagner, would you like to chime in here?
>

You're right about EAX.  What I meant is that it was a goal that EAX  
*could* be used with random nonces, though as you point out it is  
deterministic (and is intended for use with deterministic nonces).

>> Most network identifiers are not suitable for use in constructing
>> nonces.  For example, IP addresses are not suitable because of
>> network address translation (NAT) and DHCP, besides the fact that the
>> address identifies an interface rather than a device.  Using a
>> network identifier would also put part of the IV under the control of
>> a system which may not provide high assurance about the distinctness
>> of the IVs, which is not always acceptable.
>
> True, IP addresses may not always be useful in constructing nonces,
> but unique device serial numbers may be.
>
>> The DSA and ECDSA signature algorithms require an internal random
>> source.
>
> Yes, but they don't specify how to obtain that randomness.

Ah, I understand your point.

> From
> Appendix 3 of FIPS:
>
> "In the algorithms in sections 3.1 and 3.2, a secret b-bit seed-key  
> is used."
>
> The algorithms in sections 3.1 and 3.2 then specify how to use SHA to
> "stretch" an initial b-bit seed-key into infinitely many secret bits
> for generating private keys and signing.
>
> If you can guarantee a device has a unique b-bit key, I don't
> understand why you can't guarantee that it has a unique serial number.
>
> In any event, good job on writing something up for the lazier among us
> to throw darts at. :)
>

Thanks for bearing with me through the whole discussion!  :-)

David

> -John
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email