Encryption and authentication modes
james hughes
hughejp at mac.com
Wed Jul 14 13:33:59 EDT 2010
On Jul 14, 2010, at 1:52 AM, Florian Weimer wrote:
> What's the current state of affairs regarding combined encryption and
> authentication modes?
>
> I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I
> couldn't find test vectors), but I later came across CCM and EAX. CCM
> has the advantage of being NIST-reviewed. EAX can do streaming (but
> that's less useful when doing authentication). Neither seems to be
> widely implemented. But both offer a considerable reduction in
> per-message overhead when compared to the HMAC-SHA1/AES combination.
>
> Are there any other alternatives to consider?
If there is no room for or an integrity field, you can look at XTS-AES.
http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
> Are there any traps should be aware of when implementing CCM?
CCM is a "counter mode cipher", so don't reuse the count (with any reasonable probability).
Jim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list