Laszlo, As you say the devil is in the details. By submitting proofs similar to Shai's, the vendor can assure the lab that their implementation does not weaken ECB...
Gideon On Wed, 29 Mar 2006 11:02:18 -0700 [EMAIL PROTECTED] wrote: > >> implementations of LRW have been approved > for FIPS 140-2 as part of crypto modules by > considering it as preprocessing of the plaintext > and postprocessing of the ciphertext > > The devil is in the details, how this pre- and > post-processing is done. > If you happen to do it with xor-ing the plaintext itself, > it is still > ECB with pre- and post-processing, but an insecure > encryption mode. You > need Shai's proofs to know, that LRW is secure. It is far > from obvious. > Many tweaking schemes are insecure, although they just > pre- and > post-process data. The FIPS lab, which certified LRW as > an approved > mode of encryption, should loose its license, and the > person > responsible for this blunder should be fired. > > Laszlo > > > -------- Original Message -------- > > Subject: RE: IEEE P1619 LRW mode and FIPS 140-2 > certification > > From: [EMAIL PROTECTED] > > Date: Wed, March 29, 2006 11:36 am > > To: "Matt Ball" <[EMAIL PROTECTED]> > > Cc: "Morris Dworkin" <[EMAIL PROTECTED]>, > stds-p1619@LISTSERV.IEEE.ORG, > > [EMAIL PROTECTED] > > > > > > Hi Matt, > > > > Thanks for taking the time to clarify this issue with > NIST. > > > > I just want to add one remark, drawn from personal > experience, which concurs with Serge's previous email. > > > > While LRW-AES is not an approved mode, I believe > implementations of LRW have been approved for FIPS 140-2 > as part of crypto modules by considering it as > preprocessing of the plaintext and postprocessing of the > ciphertext, instead of a new mode. - A rather ridiculous > distinction I agree, but which seems to be fine with > (some, most?) FIPS labs - > > So as far as I know it does not preclude FIPS > certification of the module, and while using LRW-AES, the > module stays in FIPS mode. You just won't see LRW-AES as > an approved mode on the final FIPS certificate. > > > > In any case, I do agree that submitting it to NIST > would be a good solution to clear up all those doubts. > > > > Regards, > > Cyril > > -- > > Cyril Guyot > > HGST Research > > > > "Matt Ball" <[EMAIL PROTECTED]> wrote on 03/29/2006 > 07:46:52 AM: > > > > > Thanks Morris for this clarification! > > > > > > Everyone else, > > > > > > Here is a message from Morris Dworkin concerning > eligibility of LRW > > > mode for FIPS 140-2 certification. Morris has > published several > > > NIST standards, including SP800-38a "Recommendation > for Block Cipher > > > Modes of Operation", which is the standard that > specifies the > > > allowed AES modes-of-operations for FIPS 140-2. > > > > > > According to Morris, LRW is not currently an approved > encryption > > > mode for FIPS 140-2 certification. > > > > > > -Matt > > > -----Original Message----- > > > Frm: Morris Dworkin [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, March 29, 2006 7:40 AM > > > To: Matt Ball > > > Subject: Re: IEEE P1619 LRW mode and FIPS 140-2 > certification > > > > > Dear Matt, > > > > > > LRW is not currently an approved encryption mode, > and LRW cannot be > > > equated to ECB for FIPS 140-2 certification. We > would consider > > > approving LRW if a proposal for it was submitted to > us. > > > > > > Regards, > > > > > > Morris > > > > > > At 09:25 AM 3/28/2006 -0700, you wrote: > > > > > Hi Morris, > > > > > > I was hoping you could help me answer a question. > There's been some > > > discussion recently on the IEEE 1619 e-mail list > about whether the > > > AES-LRW mode would be acceptable for NIST FIPS 140-2 > certification. > > > I was wondering if you could help us with the > official NIST stance > > > on the LRW mode. The current speculation is that it > is possible to > > > get approval by equating LRW mode to ECB mode, where > ECB is > > > acceptable under NIST SP 800-38a. However, there is > an equally good > > > cryptographic argument that says LRW is not ECB, and > therefore > > > cannot currently be FIPS 140-2 certified. I was > wondering if you > > > could shed some light on the subject for the benefit > of the IEEE > > > 1619 workgroup. > > > > > > Thanks! > > > > > > Matt Ball > > > Embedded Software Engineer > > > Quantum Corporation > > > 4001 Discovery Drive, Suite 1100 > > > Boulder, CO 80303 > > > (720) 406-5766
