All of the early schemes were broken, as was the NSA's submission to the AES Modes of Operation workshop. However, three schemes, all similar in principal, have not only survived, but have proofs of correctness. The first was Charanjit Jutla's IAPM mode, another is Rogaway's OCB, and the third is from Gligor and Pompescu but I can't remember its name (I'm passing through SFO as I write this, so forgive me for not having references to hand).
Phil Hawkes and I have extended IAPM (and I believe the method is applicable to the other modes too) so that you can authenticate parts of the message that are not encrypted, like IP headers for example. We sent public comments to NIST about this, or I cam post more detail if you need. regards, Greg. At 05:29 PM 11/24/2001 -0500, Radia Perlman - Boston Center for Networking wrote: >In the last few years I've heard of some one-pass schemes >(schemes that with one cryptographic pass over the data encrypt >the data and generate an integrity check), and I've >also heard of some schemes being broken. Does anyone know what >schemes have been broken and which schemes are still considered secure? >Are these schemes mature enough to be considered in standards? And >does anyone know about the patent status of these schemes? > >References to papers would be appreciated. > >Thanks, > >Radia > > > > >--------------------------------------------------------------------- >The Cryptography Mailing List >Unsubscribe by sending "unsubscribe cryptography" to >[EMAIL PROTECTED] Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/ Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
