Re: ECB+CTR Mode?
From: Mark Wooding (mdw_at_nsict.org)
Date: 11 Aug 2003 16:00:00 GMT
Tom St Denis <email@example.com> wrote:
> Last I checked OBC [or what not]
OCB, by Phillip Rogaway.
> was the only mode to provide both security and authentication.
Err... I presume you mean `secrecy' where you said `security'. Both
secrecy and authenticity are security goals, and there are others. And
you're wrong. Check out Jutla's IACBC and IAPM, and Gligor and
Donescu's XECB and XCBC; and then see EAX (Bellare, Rogaway, and Wagner)
and CWC (Kohno, Viega, and Whiting). All of these come with security
proofs, and I have no reason to think they're invalid.
> Ironically the NIST standard "OMAC" only provides a MAC
Your idea of irony is very odd. And it looks to me as if OMAC does what
it says on the tin.
> [so you might as well use HMAC since it will allow you to use other
> hashes with bigger digest sizes].
Depends. Many applications will truncate MAC tags, because they need
only be unpredictable in their entirety. A 128-bit tag is quite
sufficient for most applications, and using the same 128-bit block
cipher for both means that you don't have to assume the security of some
hash function like SHA1.
> The problem is you need extra entropy to tell the end user the message
> is correct.
Indeed. Hoping that the next layer up can detect garbles is hopeless.
Suppose that what's being transmitted is key material (and hence
random), for example!