Hi Matt,
Thanks for taking the time to clarify this issue with NIST.
I just want to add one remark, drawn from personal experience, which concurs with Serge's previous email.
While LRW-AES is not an approved mode, I believe implementations of LRW have been approved for FIPS 140-2 as part of crypto modules by considering it as preprocessing of the plaintext and postprocessing of the ciphertext, instead of a new mode. - A rather ridiculous distinction I agree, but which seems to be fine with (some, most?) FIPS labs -
So as far as I know it does not preclude FIPS certification of the module, and while using LRW-AES, the module stays in FIPS mode. You just won't see LRW-AES as an approved mode on the final FIPS certificate.
In any case, I do agree that submitting it to NIST would be a good solution to clear up all those doubts.
Regards,
Cyril
--
Cyril Guyot
HGST Research
"Matt Ball" <[EMAIL PROTECTED]> wrote on 03/29/2006 07:46:52 AM:
> Thanks Morris for this clarification!
>
> Everyone else,
>
> Here is a message from Morris Dworkin concerning eligibility of LRW
> mode for FIPS 140-2 certification. Morris has published several
> NIST standards, including SP800-38a "Recommendation for Block Cipher
> Modes of Operation", which is the standard that specifies the
> allowed AES modes-of-operations for FIPS 140-2.
>
> According to Morris, LRW is not currently an approved encryption
> mode for FIPS 140-2 certification.
>
> -Matt
> -----Original Message-----
> Frm: Morris Dworkin [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 29, 2006 7:40 AM
> To: Matt Ball
> Subject: Re: IEEE P1619 LRW mode and FIPS 140-2 certification
> Dear Matt,
>
> LRW is not currently an approved encryption mode, and LRW cannot be
> equated to ECB for FIPS 140-2 certification. We would consider
> approving LRW if a proposal for it was submitted to us.
>
> Regards,
>
> Morris
>
> At 09:25 AM 3/28/2006 -0700, you wrote:
> Hi Morris,
>
> I was hoping you could help me answer a question. There's been some
> discussion recently on the IEEE 1619 e-mail list about whether the
> AES-LRW mode would be acceptable for NIST FIPS 140-2 certification.
> I was wondering if you could help us with the official NIST stance
> on the LRW mode. The current speculation is that it is possible to
> get approval by equating LRW mode to ECB mode, where ECB is
> acceptable under NIST SP 800-38a. However, there is an equally good
> cryptographic argument that says LRW is not ECB, and therefore
> cannot currently be FIPS 140-2 certified. I was wondering if you
> could shed some light on the subject for the benefit of the IEEE
> 1619 workgroup.
>
> Thanks!
>
> Matt Ball
> Embedded Software Engineer
> Quantum Corporation
> 4001 Discovery Drive, Suite 1100
> Boulder, CO 80303
> (720) 406-5766
- RE: IEEE P1619 LRW mode and FIPS 140-2 certification Matt Ball
- RE: IEEE P1619 LRW mode and FIPS 140-2 certification Cyril . Guyot
- RE: IEEE P1619 LRW mode and FIPS 140-2 certification laszlo
- RE: IEEE P1619 LRW mode and FIPS 140-2 certificati... Cyril . Guyot
- Re: IEEE P1619 LRW mode and FIPS 140-2 certificati... Gideon Avida
- RE: IEEE P1619 LRW mode and FIPS 140-2 certification laszlo
- RE: IEEE P1619 LRW mode and FIPS 140-2 certification laszlo
- IEEE P1619 LRW mode and FIPS 140-2 certification Morris Dworkin
- Re: IEEE P1619 LRW mode and FIPS 140-2 certificati... Shai Halevi
- RE: IEEE P1619 LRW mode and FIPS 140-2 certifi... Gideon Avida
- RE: IEEE P1619 LRW mode and FIPS 140-2 cer... Cyril . Guyot