[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cfrg] draft-housley-ccm-mode-00.txt
David Wagner wrote:
>Can you elaborate? What advantages do you see for CCM over
>the standard encrypt-then-authenticate generic composition of
>AES-CBC encryption and AES-CBC-MAC (suitably modified to be
>secure for variable-length messages)? The latter is unencumbered
>and has the same performance characteristics as CCM.
>
An advantage I can see is the use of the same key for both
authentication and encryption. I'm not aware of any proof of security
for an encrypt-then-authenticate design that holds up when you use the
same key for both encryption and authentication. Using the same key
halves the key storage requirements for an 802.11 base station.. CCM
tries to ensure that the likelihood of collisions follows the usual
birthday bound curve, and the article claims that encrypting the MAC
value makes analysis of the MAC value impossible.
The proof of security will make for an interesting read.
Gé
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg