Re: applying AES-GCM to secure shell: proposed "tweak"

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Thu, 16 Apr 2009 10:43:31 +0200

Nicolas Williams <Nicolas.Williams%sun.com@localhost> writes:

> But, actually, I think I was wrong about PKCS#11, it does seem to allow
> online decryption with AEAD modes.

Good to hear, thanks for checking. If this is indeed a feature that is
typical of aead implementations (as seems to be the case), is there
any remaining reason not to use it and handle the encrypted length
field in the same way as for other encryption algorithms?

Do you reduce possibilities for attacks if you use separate ciphers
for the first blocks and the rest of the data? IIRC, the attacks that
has been mentioned all rely on cbc, so they are not effective against
aes-gcm.

Ideally, I guess it would be best to send

  1. first block (encrypted and including length field),
  2. mac of first block
  3. rest of message (encrypted)
  4. mac of complete message

but this is probably not the right time to make changes like that.

Regards,
/Niels

References:
- applying AES-GCM to secure shell: proposed "tweak"
  - From: Tim Polk
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- RE: applying AES-GCM to secure shell: proposed "tweak"
  - From: James Blaisdell
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Niels Möller
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Nicolas Williams

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index