On Mon, Feb 24, 2014 at 12:29 PM, Vijay Bharadwaj <
Vijay.Bharadwaj@microsoft.com> wrote:
> To be clear, I am not proposing any bookkeeping. The question is whether
> we want to add a step 3.5 in 18.10.6:
>
>
>
> If 2^length is less than (length of plaintext in bytes)/16, terminate this
> algorithm with an error.
>
>
>
> As I said, the Windows implementation does not expose CTR in CNG. However,
> were we to add it, I think we would follow the text in SP800-38A and
> implement this sanity check. The NIST validation suite for AES seems to
> suggest that labs check for this (see
> http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf Appendix A)
> so it is likely that an implementation that does not do this would face
> difficulties in FIPS validation.
>
>
>
>
>
Right, all implementations that I know of _do_ implement this hard check in
their limits for input, by virtue of following the text of SP800-38A.
However, given that a Key can be used for repeated operations, that in
their sum is greater than 2^length, I feel like we wouldn't be providing
any 'real' security.
Note that getting a UA to implement 2^length AES block sizes is going to be
a 'fun' issue. I suspect it only really comes into practical play if/when
we talk about a Streaming operation, since otherwise you have to allocate
2*2^length*16 bytes.