Hi Jim,
I think the original wording was
what I meant, although I'm sure there is a better way to describe it.
Let's talk about it tomorrow.
-Matt
-----Original
Message-----
From: james hughes
Sent: Monday, May 15, 2006 7:57 AM
To: Matt Ball
Cc: james
hughes;
Subject: Re: P1619.1-D6 Draft
I am worried about the
discussion of 6.2.3... This seems to be
slightly incorrect. The text
"IV-collision between any pair of IVs
generated by the VB-device within two
different VB-medias is no
greater than 1 in 2^96" seems to ignore the
size of the set that we
choose "any pair" from. Would the words
"IV-collision between a new
IV generated by the VB-device a previous
VB-media IVs is no greater
than 1 in 2^96".
Comments?
Jim
On May 10, 2006, at 7:27 PM, Matt Ball
wrote:
> Hi Everyone,
>
> I've attached the newest
P1619.1-D6 draft. Here is a list of the
> changes from
D5:
>
> - Added test vectors for CCM and GCM, based on e-mail
discussions.
> I still need to add the full IV for CCM, based
on Doug Whiting's
> recommendation.
>
> - Added new
informative appendix C "Security concerns". I've moved
> some
security-related notes to this appendix.
>
> - Removed section 4.9
"Algorithm identifier". If anyone wants to
> keep this
section, please send me a proposal for these details. My
>
thinking is that these details should be specified at a higher
>
level, such as T10 (SCSI).
>
> - Changed references to 'entropy' to
'number derived from a PRNG',
> according to Shai's
recommendations.
>
> - Changed GCM reference to refer to SP 800-38D
instead of the GCM
> proposal.
>
> - I looked over the
Galois multipliers in both the old and new GCM
> specs, and they
look the same.
>
> - Trimmed some fat from the GCM clause
(5.2).
>
> - Changed the order of the 'FormatSpecific' and 'UserKey'
fields
> within the Key Transform (clause 6.2.2). The entropy
loss from the
> key transform will be less if the key is placed
last.
>
> - Misc. cleanup.
>
>
>
Notes:
>
> I sent a formal request to NIST asking whether the key
transform
> used in P1619.1-D5 is acceptable in a FIPS
140-2-compliant device,
> running in an Approved mode of
operation. They haven't responded
> yet, but I'll let the
group know what they say. I'm going to hold
> off on including
SP 800-56A until we get more guidance from NIST.
>
>
Question:
>
> Is CCM mode allowed by NIST for authentication-only,
for a FIPS
> 140-2 compliant solution? SP 800-38B specifies
the 'CMAC'
> algorithm, which is subtly different than the CBC-MAC
mode used by
> CCM. CMAC is a FIPS 140-2 Approved algorithm,
whereas normal CBC-
> MAC is not Approved.
>
>
> Please
let me know if you have any questions or comments!
>
>
-Matt
>
>
>
<P1619.1-D6.pdf>