Re: [Cfrg] new authenticated encryption draft
David McGrew <mcgrew@cisco.com> Wed, 11 October 2006 22:20 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GXmQz-0000t7-SJ; Wed, 11 Oct 2006 18:20:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GXmQz-0000rL-EL for cfrg@ietf.org; Wed, 11 Oct 2006 18:20:17 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GXmQy-0007OU-1y for cfrg@ietf.org; Wed, 11 Oct 2006 18:20:17 -0400
Received: from sj-dkim-8.cisco.com ([171.68.10.93]) by sj-iport-5.cisco.com with ESMTP; 11 Oct 2006 15:20:15 -0700
X-IronPort-AV: i="4.09,295,1157353200"; d="scan'208"; a="330695584:sNHT60185860"
Received: from sj-core-3.cisco.com (sj-core-3.cisco.com [171.68.223.137]) by sj-dkim-8.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k9BMKFtK024115; Wed, 11 Oct 2006 15:20:15 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id k9BMK6bN015667; Wed, 11 Oct 2006 15:20:15 -0700 (PDT)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 11 Oct 2006 15:20:14 -0700
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 11 Oct 2006 15:20:13 -0700
In-Reply-To: <f207274d0609301458j263c247l63ccc379bfd0bda@mail.gmail.com>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <p06230910c10e98a55c4c@10.30.1.9> <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com> <3D640F53-58F3-4AE4-AEFC-145BBD9BC9A0@cisco.com> <f207274d0609011652m3bb76587xdd6cd9e1d3140e63@mail.gmail.com> <7BA4156B-14B4-4BB1-BEAD-2237F5B3834D@cisco.com> <f207274d0609111132w655f9b7er2e55c20e67973da5@mail.gmail.com> <1C7CA0AE-3BCC-437B-891F-0D2831BFBFBC@cisco.com> <f207274d0609141837m28cf6400v7cc1a643275f8beb@mail.gmail.com> <89EA334C-4D0C-4DD4-847E-D639E064187D@cisco.com> <f207274d0609301458j263c247l63ccc379bfd0bda@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <F7506B7E-452B-482D-BE50-6521C9B1042A@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Wed, 11 Oct 2006 15:20:11 -0700
To: John Wilkinson <wilkjohn@gmail.com>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 11 Oct 2006 22:20:14.0446 (UTC) FILETIME=[6C8F30E0:01C6ED83]
DKIM-Signature: a=rsa-sha1; q=dns; l=2795; t=1160605215; x=1161469215; c=relaxed/relaxed; s=sjdkim8002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20new=20authenticated=20encryption=20draft; X=v=3Dcisco.com=3B=20h=3DbEwS0oJgdOC6R0v1cvsFzhF5aNU=3D; b=jfm2dr62upDcY4K3a/44Zeu9cMxiRSdR/JaFBPWRcgkfQoIXfHuZJOXSQAIOwdsc20y4cvFc OsuZ1/3ogEGQ0MQ6e1VoAm8iACUVuV9rO10zzjJAR9AKD4kADl3Hoers;
Authentication-Results: sj-dkim-8.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi John, On Sep 30, 2006, at 2:58 PM, John Wilkinson wrote: > David, > > Sorry for my delayed response. I've been on business travel lately. I > think you've got a lot of good comments from other people, and I we > understand each others' positions, so I'll wrap up here. > > On 9/15/06, David McGrew <mcgrew@cisco.com> wrote: >> Hi John, >> >> On Sep 14, 2006, at 6:37 PM, John Wilkinson wrote: >> >> > David, >> > >> > Can you point me to an existing randomized AEAD specification that >> > might have a more detailed rationale its randomness? >> >> EAX, for one. It was an explicit design goal for that mode. > > I believe that EAX would be classified as "deterministic" under your > terms, not as "random". EAX takes a nonce, message, and header, and > deterministically produces a ciphertext (which includes both the > unencrypted header and authentication tag). Given the same inputs > (including nonce), EAX always produces the same ciphertext. Prof. > Wagner, would you like to chime in here? > You're right about EAX. What I meant is that it was a goal that EAX *could* be used with random nonces, though as you point out it is deterministic (and is intended for use with deterministic nonces). >> Most network identifiers are not suitable for use in constructing >> nonces. For example, IP addresses are not suitable because of >> network address translation (NAT) and DHCP, besides the fact that the >> address identifies an interface rather than a device. Using a >> network identifier would also put part of the IV under the control of >> a system which may not provide high assurance about the distinctness >> of the IVs, which is not always acceptable. > > True, IP addresses may not always be useful in constructing nonces, > but unique device serial numbers may be. > >> The DSA and ECDSA signature algorithms require an internal random >> source. > > Yes, but they don't specify how to obtain that randomness. Ah, I understand your point. > From > Appendix 3 of FIPS: > > "In the algorithms in sections 3.1 and 3.2, a secret b-bit seed-key > is used." > > The algorithms in sections 3.1 and 3.2 then specify how to use SHA to > "stretch" an initial b-bit seed-key into infinitely many secret bits > for generating private keys and signing. > > If you can guarantee a device has a unique b-bit key, I don't > understand why you can't guarantee that it has a unique serial number. > > In any event, good job on writing something up for the lazier among us > to throw darts at. :) > Thanks for bearing with me through the whole discussion! :-) David > -John > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew