We have some challenges.
The CCM spec does not allow long IVs.
Thinking out loud... If we do not want to use SHA-1, would it be
possible to K2 = E_k1(id) or K2 = E_id(k11) where k1 is the key
provided, id is a 16 byte is vendor unique (or standard name) and K2
is the actual media key. This way, we don't introduce a new algorithm
into the standard? (more algorithms, more potential weaknesses).
jim
On Jan 5, 2006, at 3:12 PM, Landon Noll wrote:
There are two ways that I see to solve the IV collision issue:
1. Allow longer IVs: The GCM spec allows IVs of any size, we can just
do the same for 1619.1, and leave it to the application to
decide how
to set the IV and to what size. The application can then set the
IV to
include the vendor-ID and whatever else it wants to put there.
(Does
the CCM spec allow long IVs?) just allow any-size IV and put
some appendix that
describe the multi-vendor IV issue and sketches the two
solutions above.
I strongly favor this option.
