On Mon, Feb 24, 2014 at 12:29 PM, Vijay Bharadwaj < Vijay.Bharadwaj@microsoft.com> wrote: > To be clear, I am not proposing any bookkeeping. The question is whether > we want to add a step 3.5 in 18.10.6: > > > > If 2^length is less than (length of plaintext in bytes)/16, terminate this > algorithm with an error. > > > > As I said, the Windows implementation does not expose CTR in CNG. However, > were we to add it, I think we would follow the text in SP800-38A and > implement this sanity check. The NIST validation suite for AES seems to > suggest that labs check for this (see > http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf Appendix A) > so it is likely that an implementation that does not do this would face > difficulties in FIPS validation. > > > > > Right, all implementations that I know of _do_ implement this hard check in their limits for input, by virtue of following the text of SP800-38A. However, given that a Key can be used for repeated operations, that in their sum is greater than 2^length, I feel like we wouldn't be providing any 'real' security. Note that getting a UA to implement 2^length AES block sizes is going to be a 'fun' issue. I suspect it only really comes into practical play if/when we talk about a Streaming operation, since otherwise you have to allocate 2*2^length*16 bytes.
Received on Monday, 24 February 2014 20:44:46 UTC