Re: Core draft last call update.

To: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Subject: Re: Core draft last call update.
From: Wei Dai <weidai%eskimo.com@localhost>
Date: Wed, 13 Mar 2002 18:32:02 -0800

On Wed, Mar 13, 2002 at 06:33:34PM -0500, Bill Sommerfeld wrote:
> It needs to be turned into a stand-alone internet-draft.

Why?

> > For any cipher in CTR mode, the counter used to encrypt each plaintext
> > block MUST be the IV if no previous plaintext block exists, or C+1 mod 2^N
> > where C is the counter used to encrypt the previous block, and N is the
> > block size of the cipher in bits.  Network order SHOULD be used to convert
> > the counter between its octet string form and its integer form for the
> > computation of C+1 mod 2^N. 
> 
> so:
> 
> The size of the IV is left unspecified.

Ok, add this sentence to the end of 5.2:

For block cipher based algorithms with variable-length IVs, the IV length
SHOULD be the block size of the underlying block cipher.

> The text "the counter used to encrypt each plaintext block" is
> unspecified, and could mean any of:
> 
> 	C[n] = ECB-Encrypt(ctr++, P[n]);
> 	C[n] = P[n] ^ ECB-Encrypt(K, ctr++);
> 	C[n] = P[n] ^ ctr++;

Ok, add this reference to the first mention of CTR:

   [SP800-38A] "Recommendation for Block Cipher Modes of Operation", 
   United States of American, National Institute of Science and 
   Technology, NIST Special Publication 800-38A 2001 Edition, December 
   2001. 

> Also left underspecified is the block size of the mode (i.e., in terms
> of how the transport layer pads out messages to the block size);
> fundamentally there's no reason why this has to be the same as the
> underlying cipher block size, but if they're different, you need to
> specify whether or not partial blocks get carried over from message to
> message.

Good point, change the first paragraph under "random padding", section 4: 

Arbitrary-length padding, such that the total length of (packet_length ||
padding_length || payload || padding) is a multiple of the cipher block
size.  For ciphers that do not need to process data in blocks (for example
stream ciphers and block ciphers in CTR mode), a block size of 8 SHOULD be
used for the purpose of determining padding length.

And change the phrase "initialization vectors" in second paragraph of
section 4.3 to "initialization vectors and unused keystream octets".

Follow-Ups:
- Re: Core draft last call update.
  - From: Bill Sommerfeld

References:
- Re: Core draft last call update.
  - From: Wei Dai
- Re: Core draft last call update.
  - From: Bill Sommerfeld

Prev by Date: Re: WG LAST CALL: SECSH Public Key File Format
Next by Date: Re: Core draft last call update.
Previous by Thread: Re: Core draft last call update.
Next by Thread: Re: Core draft last call update.
Indexes:

Home | Main Index | Thread Index | Old Index