|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: james hughes <hughejp@mac.com> In-reply-to: <82hbk2tpgd.fsf@mid.bfk.de> Date: Wed, 14 Jul 2010 10:33:59 -0700 Cc: james hughes <hughejp@mac.com>, Cryptography List <cryptography@metzdowd.com> To: Florian Weimer <fweimer@bfk.de> On Jul 14, 2010, at 1:52 AM, Florian Weimer wrote: > What's the current state of affairs regarding combined encryption and > authentication modes? > > I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I > couldn't find test vectors), but I later came across CCM and EAX. CCM > has the advantage of being NIST-reviewed. EAX can do streaming (but > that's less useful when doing authentication). Neither seems to be > widely implemented. But both offer a considerable reduction in > per-message overhead when compared to the HMAC-SHA1/AES combination. > > Are there any other alternatives to consider? If there is no room for or an integrity field, you can look at XTS-AES. http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf > Are there any traps should be aware of when implementing CCM? CCM is a "counter mode cipher", so don't reuse the count (with any reasonable probability). Jim --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |