I am worried about the discussion of 6.2.3... This seems to be
slightly incorrect. The text "IV-collision between any pair of IVs
generated by the VB-device within two different VB-medias is no
greater than 1 in 2^96" seems to ignore the size of the set that we
choose "any pair" from. Would the words "IV-collision between a new
IV generated by the VB-device a previous VB-media IVs is no greater
than 1 in 2^96". Comments?
Jim
On May 10, 2006, at 7:27 PM, Matt Ball wrote:
Hi Everyone,
I've attached the newest P1619.1-D6 draft. Here is a list of the
changes from D5:
- Added test vectors for CCM and GCM, based on e-mail discussions.
I still need to add the full IV for CCM, based on Doug Whiting's
recommendation.
- Added new informative appendix C "Security concerns". I've moved
some security-related notes to this appendix.
- Removed section 4.9 "Algorithm identifier". If anyone wants to
keep this section, please send me a proposal for these details. My
thinking is that these details should be specified at a higher
level, such as T10 (SCSI).
- Changed references to 'entropy' to 'number derived from a PRNG',
according to Shai's recommendations.
- Changed GCM reference to refer to SP 800-38D instead of the GCM
proposal.
- I looked over the Galois multipliers in both the old and new GCM
specs, and they look the same.
- Trimmed some fat from the GCM clause (5.2).
- Changed the order of the 'FormatSpecific' and 'UserKey' fields
within the Key Transform (clause 6.2.2). The entropy loss from the
key transform will be less if the key is placed last.
- Misc. cleanup.
Notes:
I sent a formal request to NIST asking whether the key transform
used in P1619.1-D5 is acceptable in a FIPS 140-2-compliant device,
running in an Approved mode of operation. They haven't responded
yet, but I'll let the group know what they say. I'm going to hold
off on including SP 800-56A until we get more guidance from NIST.
Question:
Is CCM mode allowed by NIST for authentication-only, for a FIPS
140-2 compliant solution? SP 800-38B specifies the 'CMAC'
algorithm, which is subtly different than the CBC-MAC mode used by
CCM. CMAC is a FIPS 140-2 Approved algorithm, whereas normal CBC-
MAC is not Approved.
Please let me know if you have any questions or comments!
-Matt
<P1619.1-D6.pdf>