Re: [Cfrg] request for comments on "Generation of Deterministic Initialization Vectors (IVs) and Nonces"
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 20 July 2011 07:50 UTC
Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF4D21F873A for <cfrg@ietfa.amsl.com>; Wed, 20 Jul 2011 00:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.643
X-Spam-Level:
X-Spam-Status: No, score=-3.643 tagged_above=-999 required=5 tests=[AWL=-0.044, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YJkrZ2xv1Fi5 for <cfrg@ietfa.amsl.com>; Wed, 20 Jul 2011 00:50:16 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF4B21F872F for <cfrg@irtf.org>; Wed, 20 Jul 2011 00:50:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1311148217; x=1342684217; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20dharkins@lounge.org,=20pgut001@cs.auckland.ac.nz |Subject:=20Re:=20[Cfrg]=20request=20for=20comments=20on =20"Generation=20of=20Deterministic=20Initialization=20Ve ctors=20(IVs)=20and=20Nonces"|Cc:=20cfrg@irtf.org,=20mcgr ew@cisco.com|In-Reply-To:=20<49fd928bf94d1d1920df676bb61f a198.squirrel@www.trepanning.net>|Message-Id:=20<E1QjRXj- 0002HE-HM@login01.fos.auckland.ac.nz>|Date:=20Wed,=2020 =20Jul=202011=2019:50:07=20+1200; bh=fupqVjnY9wqsXfjNcJSoTbDFVGuhRCe0YLrOoK/hYkc=; b=tVmjTXbseq3ZVL2FWwNPsQLv7Q97rWK+QAdGiWwDhqHvLSIqUFoxOXWM lm0TzSd+CyTBwEro0EGTvhn98YyG0SS0vBOVbAGj6MebramdOzxmBVI02 zkw+fbYF7o/TGqC1LJSwVN77hNEBHn42cz7ghYg87vbM5WfMsCqtejBWF U=;
X-IronPort-AV: E=Sophos;i="4.67,233,1309694400"; d="scan'208";a="72896870"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 20 Jul 2011 19:50:07 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QjRXj-0005YD-Hz; Wed, 20 Jul 2011 19:50:07 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QjRXj-0002HE-HM; Wed, 20 Jul 2011 19:50:07 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: dharkins@lounge.org, pgut001@cs.auckland.ac.nz
In-Reply-To: <49fd928bf94d1d1920df676bb61fa198.squirrel@www.trepanning.net>
Message-Id: <E1QjRXj-0002HE-HM@login01.fos.auckland.ac.nz>
Date: Wed, 20 Jul 2011 19:50:07 +1200
Cc: mcgrew@cisco.com, cfrg@irtf.org
Subject: Re: [Cfrg] request for comments on "Generation of Deterministic Initialization Vectors (IVs) and Nonces"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 07:50:20 -0000
"Dan Harkins" <dharkins@lounge.org> writes: >Let me remind everyone of SIV mode*. It's a CTR mode derivative but is >resistant to nonce misuse. Unlike CBC, the nonce doesn't need to be >unguessable. And it even provides a strong assurance of security if the nonce >is reused. Doesn't SIV require the entire message to be buffered, which makes it unusable in streaming implementations? [Checks] Unless I've misinterpreted some part of Fig.3 and Fig.8 of RFC 5297, this can't be used in a streaming implementation because the CMAC operation to create the IV has to make a complete pass over the message before you can start encrypting (this is also similar to a key-wrap mechanism that Colin Plumb and I came up with for RFC 3211, although it'd need a tweak to use a proper MAC for full integrity-protection, it was designed for non-expanding 512-byte disk sector encryption and dates from the early 1990s, so it predates pretty much all of the work that newer modes and mechanisms are built on). SIV is quite nice for something like 802.11, SRTP, DTLS, and others, but unfortunately won't work as a general-purpose mechanism. Are there any IP issues around SIV? Peter.
- [Cfrg] AES-GCM weakness Jérémie Crenne
- Re: [Cfrg] AES-GCM weakness David McGrew
- Re: [Cfrg] AES-GCM weakness Scott Fluhrer (sfluhrer)
- Re: [Cfrg] AES-GCM weakness Peter Gutmann
- [Cfrg] request for comments on "Generation of Det… David McGrew
- Re: [Cfrg] request for comments on "Generation of… Peter Gutmann
- Re: [Cfrg] request for comments on "Generation of… Dan Harkins
- Re: [Cfrg] request for comments on "Generation of… Peter Gutmann
- Re: [Cfrg] request for comments on "Generation of… Jim Schaad
- Re: [Cfrg] request for comments on "Generation of… David Jacobson
- Re: [Cfrg] request for comments on "Generation of… Dan Harkins
- [Cfrg] two-pass modes of operation David McGrew
- Re: [Cfrg] request for comments on "Generation of… David McGrew
- Re: [Cfrg] request for comments on "Generation of… Peter Gutmann