Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06

Benjamin Kaduk <kaduk@MIT.EDU> Fri, 17 April 2015 18:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F310B1B2F3A for <>; Fri, 17 Apr 2015 11:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X-E0o798WUWX for <>; Fri, 17 Apr 2015 11:35:46 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5EA6C1B2F38 for <>; Fri, 17 Apr 2015 11:35:46 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-a8-5531528188c0
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 95.B1.03355.18251355; Fri, 17 Apr 2015 14:35:45 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t3HIZijg015105; Fri, 17 Apr 2015 14:35:44 -0400
Received: from ( []) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t3HIZg7B002702 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 17 Apr 2015 14:35:44 -0400
Received: (from kaduk@localhost) by ( id t3HIZg0x023940; Fri, 17 Apr 2015 14:35:42 -0400 (EDT)
Date: Fri, 17 Apr 2015 14:35:42 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Jeffrey Altman <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHIsWRmVeSWpSXmKPExsUixCmqrNsYZBhqsOmpkMWflZPYLI5uXsXi wOSxZMlPJo+TfedZA5iiuGxSUnMyy1KL9O0SuDJezH/MXnCGo6Ll/BWmBsbfbF2MnBwSAiYS 56dtYoawxSQu3FsPFOfiEBJYzCSx/PZFFghnI6PE+8UrmSGcQ0wSq/bfAGsXEmhglNg2tRDE ZhHQltgzdy8TiM0moCIx881GsBoRAUOJtv83WUFsZgFhifXnZoCtExZwkZi1ZQU7iM0JdMar S08ZQWxeAUeJp6cWM0Esu8oo8eroK7BBogI6Eqv3T2GBKBKUODnzCQvEUC2J5dO3sUxgFJyF JDULSWoBI9MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXWO93MwSvdSU0k2M4GCV5NvB+PWg0iFG AQ5GJR7eA/EGoUKsiWXFlbmHGCU5mJREef+7GIYK8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuFV MgXK8aYkVlalFuXDpKQ5WJTEeTf94AsREkhPLEnNTk0tSC2CycpwcChJ8N4NAGoULEpNT61I y8wpQUgzcXCCDOcBGi4fCDK8uCAxtzgzHSJ/ilFRSpz3BUizAEgiozQPrheWTF4xigO9Isyb BNLOA0xEcN2vgAYzAQ0u3WEAMrgkESEl1cC4gfGKdFyVULAmo1bLgi2CeR0lQh3GzdJ5i99b 8i0Wj/wT7frsx5xru7zMzsjvyHY93PRcTIOx8e5uwcMrS9X3bzd+cog7bHVxQ/th9XVNmxeb LJyycGu7Zib/4wDO70HrM+39DpmbhQjfyOBli9ZOupvRXDNl17XwRO0OlW8lpxvyTO888lJi Kc5INNRiLipOBABKUiFzAQMAAA==
Archived-At: <>
Subject: Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Apr 2015 18:35:48 -0000

Hi Jeffrey,

On Thu, 9 Apr 2015, Jeffrey Altman wrote:

> raised are significant.   Do we have independent review from trusted
> cryptographers?  I'm not one so will not try to review the math.

I don't believe there was explicit "independent cryptographer" review at
the time you wrote this.  ("Does Nico count as a cryptographer?")

That said, this document is basically just taking some well-understood
building blocks and combining them in well-understood ways.  It differs
from the existing AES enctypes in using encrypt-then-mac (now the
~universal consensus of the community), in using newer hash functions
truncated to a longer length, and in the key derivation algorithm.  The
key derivation algorithm it uses, from NIST SP800-108, is quite well
understood.  Oh, and the default PBKDF2 iteration count was increased.

I do not think that there is any sufficiently novel cryptography going on
so as to require additional review.  If you still feel that more review
(e.g., from CFRG) is necessary, please say so, ideally with some rebuttals
to my above argument.