FYI:
Here is a response from Morris Dworkin concerning standardization of GCM for
FIPS 140.
It
looks like GCM will likely be standardized within 2-3 months. The only
current issue appears to
be the
size of the authentication field. Since we're using the full 128-bits, I
don't expect there
will
be any problems with compliance (but of course, things can always
change...).
-Matt
-----Original Message-----
From: Morris Dworkin
Sent: Thursday, February 16, 2006 8:13 AM
To: Matt Ball
Cc: David McGrew
Subject: Re: Status of GCM standardization
Hi, Matt,From: Morris Dworkin
Sent: Thursday, February 16, 2006 8:13 AM
To: Matt Ball
Cc: David McGrew
Subject: Re: Status of GCM standardization
I would estimate that within a month a draft NIST Recommendation (Special Publication 800-38D)
for GCM will be posted for a public comment. The public comment period is typically between 30
and 60 days--for CCM it was 45 days, I think. After considering any public comments, if we decide
to go forward without significant changes, then the final bureaucratic approval for publication of the
document would probably come down a couple of weeks later. At that point, the mode would be
officially approved, although there is a often another delay before FIPS 140 validation testing is
actually available for new algorithms.
Obviously, if significant technical issues are raised in public comments, then resolving them might
take a lot of time.
We still haven't finalized internally what requirements/guidance to propose for the length of the
authentication field. Even if we had, I wouldn't advise you to rely on them at this point, because
we might revise whatever we propose in light of public comments. However, if you would like to
influence what we'll propose, you or your groups are welcome to submit public comments before
a draft is posted for public comment.
Regards,
Morris
At 05:45 PM 2/15/2006 -0700, you wrote:
Hi Morris,
I was just asking David McGrew about the status of standardizing the AES GCM (Galois Counter Mode) algorithm, and he referred me over to you. Do you by chance know what the current time table is for standardizing GCM as an approved FIPS 140-2 mode of operation? I'm currently working both with the IEEE 1619.1 group and T10 (SCSI specification) to use the GCM mode. It would make progress on these standards much easier if we knew that GCM is an approved mode, and what the final restrictions are (i.e. 96 or 128 bit authentication field). Otherwise, we have to add in CCM as a fall-back. It would be much easier if we could just support the faster mode (GCM).
I'd appreciate any input!
Thanks!
Matt Ball
Embedded Software Engineer
Quantum Corporation
4001 Discovery Drive, Suite 1100
Boulder, CO 80303
(720) 406-5766
