From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 3 17:57:34 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A59DD16A4CE for ; Thu, 3 Mar 2005 17:57:34 +0000 (GMT) Received: from harmony.village.org (rover.village.org [168.103.84.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BB9F43D48 for ; Thu, 3 Mar 2005 17:57:34 +0000 (GMT) (envelope-from imp@bsdimp.com) Received: from localhost (localhost.village.org [127.0.0.1]) by harmony.village.org (8.13.3/8.13.1) with ESMTP id j23HsgKE011674; Thu, 3 Mar 2005 10:54:42 -0700 (MST) (envelope-from imp@bsdimp.com) Date: Thu, 03 Mar 2005 10:54:42 -0700 (MST) Message-Id: <20050303.105442.74738904.imp@bsdimp.com> To: rcoleman@criticalmagic.com From: Warner Losh In-Reply-To: <42274A0C.5010403@criticalmagic.com> References: <8837.1109868465@critter.freebsd.dk> <42274A0C.5010403@criticalmagic.com> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: elric@imrryr.org cc: tls@rek.tjls.com cc: phk@phk.freebsd.dk cc: hackers@freebsd.org cc: tech-security@NetBSD.org cc: crypto@metzdowd.com Subject: Re: FUD about CGD and GBDE X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 17:57:34 -0000 > For instance, the NIST specification for AES and CCM mode (NIST Special > Publication 800-38C) specifically states that you must limit the number > of invocations of the block cipher (specifically AES) to 2^61. Now, I > realize that is an upper bound. But even after removing several orders > of magnitude, that leaves a huge amount of material you can encrypt with > a single key. phk's point is that encrypting ~2^10 bytes of data with the same key is better than encrypting ~2^40 bytes. While there may be theoretical reasons to believe that you can get away with much more than 2^9, the whole history of crypto is filled with examples of coding systems, once believed to be secure, that were broken because the same key was used for a lot of traffic. phk's fundamental point isn't that you can't get away with encrypting large amounts of data, in theory, but rather that it is more conservative to do less. Both from the point of view of this history and also from the point of view of amount of data that's disclosed should one key be recovered. Others have a differing point of view. History is also littered with strongly held views that turned out to be wrong. Time will tell if either or both of these views is good or not. Warner