Valery Smyslov writes: > The draft lists the following trasforms based on AES cipher: > > AES-GCM > AES-CCM > AES-CTR > AES-128-CBC > AES-GMAC > AES-XCBC-MAC-96 > > All these transforms, except for AES-XCBC-MAC-96, > allows to be used with different key lengths - 128, 192 and 256 bits. > It looks strange to me that, unlike the others, AES-128-CBC > has key length explicitely specified in the draft. Why it differs in > this respect from the others? What about AES-192-CBC and > AES-256-CBC - are they also "MUST" or "MAY"? Or even "MUST NOT"? :-)
Hmm... actually we should most like use the same names we use in the IANA registry. For example we have 3 different types of AES-GCM: 18 AES-GCM with a 8 octet ICV [RFC4106] [RFC5282] 19 AES-GCM with a 12 octet ICV [RFC4106] [RFC5282] 20 AES-GCM with a 16 octet ICV [RFC4106] [RFC5282] Which one of those is the one that is moved to SHOULD+? Should we just pick one of them, and say that it is the one we prefer, or should all implementations implement all of them? AES-CCM has similar thing, but as they are moving to MAY it does not really matter. And yes, I agree the AES-128-CBC should be changed to AES-CBC. In the RFC4305 and RFC4835 we had text like "AES-CBC with 128-bit keys", but as we now have more AES modes, we should probably just add text saying that for 128-bit keys for AES is MUST. Also for AES-GMAC we need to decide which of the ones we are saying is SHOULD+: 9 AUTH_AES_128_GMAC [RFC4543] 10 AUTH_AES_192_GMAC [RFC4543] 11 AUTH_AES_256_GMAC [RFC4543] > I think the draft should either: > - remove explicit key length from AES-128-CBC and make it just > AES-CBC > - add explicit key length to all other AES-based transforms (except for > AES-XCBC-MAC-96) AES-XCBC-MAC-96 is always defined to be have 128-bit key. The key length cannot be negotiated when using the authentication algorithm, it can only be negotiated for the encryption keys. Thats why the AUTH_AES_*_GMAC authentication algorithms are defined as 3 different algorithms. > - leave things as is, but explain why AES-CBC differs in this respect from > the others I think that is bad idea. I think the best is to say that in general with AES encryption (GCM, CBC, CCM etc) we assume the key length is 128-bits. (i.e. the MUST for AES-CBC is for 128-bit keys, and the SHOULD+ for AES-GCM is also for 128-bit keys with x octect ICV). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
