On 01/01/2016 06:35 AM, Aaron Zauner wrote: > This might be a good time to point again to my existing AES-OCB > draft that hasn't really seen a lot of discussion nor love lately. > It expired but I've recently updated the draft (not yet uploaded > to IETF as I'm waiting for implementer feedback from two particular > sources). The update has something to do with how GCM is implemented > in some stacks though, see: > https://github.com/azet/draft-zauner-tls-aes-ocb/commit/26c2fff7808fc88bf47e5d097f2ff5ca23201029
OCB is, if anything, worse than GCM when it comes to data volume limits. It has the same confidentiality bounds as GCM (slightly worse, in fact), but once you hit a collision you also lose authenticity and enable simple forgeries [1]. The real issue here is the block size of AES, not the security bounds of particular modes. Those are by and large all limited by the birthday bound. You could go with more exotic beyond-birthday modes, but there don't seem to be any being proposed for TLS. The simple solution to the birthday blues is, of course, to use a larger block. [1] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/General_Comments/papers/Ferguson.pdf _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
