Re: GCM / seqiv and SP800-38D

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Feb 28, 2015 at 01:08:03PM +0100, Stephan Mueller wrote:
> Am Samstag, 28. Februar 2015, 23:47:12 schrieb Herbert Xu:
> 
> Hi Herbert,
> 
> > On Thu, Feb 19, 2015 at 07:56:48AM +0100, Stephan Mueller wrote:
> > > In case of rfc4106(gcm(aes)), the IV is 96 bits. Thus, our constructed
> > 
> > > IV looks like:
> > The IV to rfc4106 is 96 bits, but the IV to the underlying gcm
> > is 128 bits so that's what guarantees the uniqueness.
> 
> We have to be careful with the wording here: SP800-38D specifies the 96 bits 
> as the IV (also called the nonce). The additional 32 bit you refer to is the 
> counter for the CTR mode. The complete 128 bit are *not* referred to when 
> SP800-38D speaks about the uniqueness of IVs in section 8.2.1 or 8.2.2.
> 
> Thus, we come back to the 96 bits. And I do not dispute that there is almost 
> zip probability of collisions, all I want to state is that the construction 
> method with seqiv does neither comply with section 8.2.1 nor with 8.2.2. That 
> means, the GCM IV construction currently does not meet the specification of 
> SP800-38D. Furthermore, the authors of SP800-38D currently do not approve of 
> the seqiv construction method.

The 96 bits are guaranteed to be unique for a given key because the
64-bit sequence number is given to us by the IPsec stack which must
guarantee its uniqueness.

Cheers,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux