Re: AES cipher suites

["Scott G. Kelly" <scott@xxxxxxxxxxxxxxxxxx>]

Comments below...

David Wagner wrote:
> 
> Scott G. Kelly wrote:
> >There are issues of backward compatibility: there are (recently) fielded
> >devices which contain hardware support for aes-cbc and not aes-ctr. Are
> >we to require vendors to forklift these devices?
> 
> Ok, I think there may be some confusion here.  I hope the confusion is
> not my fault.
> 
> I was not advocating any changes or any forklift upgrades.
> If I understand correctly, David Black asked for addition of new
> AES-CBC-encryption ciphersuites.  My question was why we need additional
> AES-CBC-encryption ciphersuites; what's wrong with AES-CTR, or with the
> status quo?  In other words, I'd like to understand what's wrong with
> the status quo before making changes.
> 
> Also, please note that there is a difference between AES-CBC-encryption
> and AES-CBC-MAC (or its variants, like AES-XCBC MAC).  They're
> orthogonal.  Modes like AES-CTR or AES-CBC-encryption are for
> confidentiality.  Modes like SHA1-HMAC or AES-CBC-MAC or AES-XCBC are
> for authentication+integrity.

Well, maybe I'm misunderstanding, but I have the impression that the
general thrust of this thread has been to *replace* AES-CBC with
AES-CTR. There is currently an AES-CBC document in the IESG's doc queue
that is a product of this wg, and based on that doc, hardware has been
released and products have been shipped. That means that if we toss it
out now, lots of time and money has been wasted. I hope that I really
have misunderstood.

Scott