On Jul 14, 2010, at 1:52 AM, Florian Weimer wrote: > What's the current state of affairs regarding combined encryption and > authentication modes? > > I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I > couldn't find test vectors), but I later came across CCM and EAX. CCM > has the advantage of being NIST-reviewed. EAX can do streaming (but > that's less useful when doing authentication). Neither seems to be > widely implemented. But both offer a considerable reduction in > per-message overhead when compared to the HMAC-SHA1/AES combination. > > Are there any other alternatives to consider?
If there is no room for or an integrity field, you can look at XTS-AES. http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf > Are there any traps should be aware of when implementing CCM? CCM is a "counter mode cipher", so don't reuse the count (with any reasonable probability). Jim --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com