On Sat, Feb 28, 2015 at 01:08:03PM +0100, Stephan Mueller wrote: > Am Samstag, 28. Februar 2015, 23:47:12 schrieb Herbert Xu: > > Hi Herbert, > > > On Thu, Feb 19, 2015 at 07:56:48AM +0100, Stephan Mueller wrote: > > > In case of rfc4106(gcm(aes)), the IV is 96 bits. Thus, our constructed > > > > > IV looks like: > > The IV to rfc4106 is 96 bits, but the IV to the underlying gcm > > is 128 bits so that's what guarantees the uniqueness. > > We have to be careful with the wording here: SP800-38D specifies the 96 bits > as the IV (also called the nonce). The additional 32 bit you refer to is the > counter for the CTR mode. The complete 128 bit are *not* referred to when > SP800-38D speaks about the uniqueness of IVs in section 8.2.1 or 8.2.2. > > Thus, we come back to the 96 bits. And I do not dispute that there is almost > zip probability of collisions, all I want to state is that the construction > method with seqiv does neither comply with section 8.2.1 nor with 8.2.2. That > means, the GCM IV construction currently does not meet the specification of > SP800-38D. Furthermore, the authors of SP800-38D currently do not approve of > the seqiv construction method. The 96 bits are guaranteed to be unique for a given key because the 64-bit sequence number is given to us by the IPsec stack which must guarantee its uniqueness. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html