RE: "the most important applications"

Wed, 18 Jan 2006 10:37:45 -0800 

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Serge Plotkin
> Sent: Tuesday, January 17, 2006 3:53 PM
> To: [EMAIL PROTECTED]
> Cc: SISWG; Shai Halevi
> Subject: RE: "the most important applications"
> 
> As I have written several times before, the compliance with 
> the standard DOES NOT guarantee security of the system. It is 
> only a building block, nothing more, nothing less. Explaining 
> all of the security implications is far beyond anything we 
> can include in the standard. 
> 
> Roughly speaking, the goal of the standard is to propose a 
> mode of encryption that does not expand data and gives some 
> protection against copy and paste operations from one sector 
> to another. Additional goal is to specify the parameters that 
> are necessary so that one implementation will be able to 
> decrypt what was encrypted with another implementation. 
> Essentially, this is all we can hope to cover.
> 
> There are a million attacks that the LRW-AES does not protect 
> against. There a million ways to make the system compliant 
> with the standard and at the same time being completely not 
> secure. Explaining these issues is outside the scope. All we 
> can do is encourage implementers to use common sense and to 
> try and comply with FIPS/CC.
> 
> Hope this message will stop the avalanche of mail messages.

It is too bad that you stated the above very very late in the
process.  What you have said was very clear in its intent and
scope.

Please be so kind as to add this to rationale:

        The goal of the standard is to propose a mode of encryption
        that does not expand data and gives some protection against
        copy and paste operations from one sector  Additional goal
        is to specify the parameters that  are necessary so that one
        implementation will be able to decrypt what was encrypted
        with another implementation.

As well as:

        There are a numerious attacks that the LRW-AES does not protect
        against. There numerious to make a system compliant with the
        standard in a completely insecure way.  Explaining these issues
        is outside the scope of this standard.  The intent of this
        standard is to encourage implementers to use common sense and
        to try and comply with FIPS/CC.

The above text is taken from your Email, with a few minor edits such
as replacing "millions" to "numerious", etc.

chongo () /\oo/\

Reply via email to