Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Addition to SP800-38A Ciphertext Stealing

17 views
Skip to first unread message

Tom St Denis

unread,
Nov 16, 2010, 10:16:13 AM11/16/10
to
Anyone read this yet?

http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/ciphertext%20stealing%20proposal.pdf

NIST came up with 3 different proposals for CTS (geez, one wasn't
enough?). I'm still baffled as to why people would use this over just
plain old simple CTR.

Tom

Tom St Denis

unread,
Nov 16, 2010, 10:17:36 AM11/16/10
to
On Nov 16, 10:16 am, Tom St Denis <t...@iahu.ca> wrote:
> Anyone read this yet?
>
> http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/ciphertext%20ste...

>
> NIST came up with 3 different proposals for CTS (geez, one wasn't
> enough?).  I'm still baffled as to why people would use this over just
> plain old simple CTR.
>
> Tom

Sorry, the correct URL is

http://csrc.nist.gov/publications/nistpubs/800-38a/addendum-to-nist_sp800-38A.pdf

Tom

Wolfgang Ehrhardt

unread,
Nov 16, 2010, 12:26:14 PM11/16/10
to
On Tue, 16 Nov 2010 07:16:13 -0800 (PST), Tom St Denis <t...@iahu.ca>
wrote:

>Anyone read this yet?

1. XTS ?

2. Schneier ?

3. Interesting is the inflation of the number of CTS modes compared to
the 'Proposal To Extend CBC Mode By “Ciphertext Stealing”' from May
6, 2007.

amzoti

unread,
Nov 18, 2010, 9:06:50 PM11/18/10
to
> http://csrc.nist.gov/publications/nistpubs/800-38a/addendum-to-nist_s...
>
> Tom

I would surmise the following (but you can contact that author at NIST
and verify this).

There are the three methods you mention and they are attributed as
follows:

* CBC-CS1 was specified as a suggestion on the NIST Computer
Security Resource Center web site.

* CBC-CS2 is specified, for example, in Ref. [3]. (Schneier, B.,
Applied Cryptography, Second Edition: protocols, algorithms, and
source code in C. New York: Wiley, 1996.)

* CBC-CS3 is the variant specified for Kerberos 5 in Ref. [2].
(Raeburn, K., Request for Comments 3962: Advanced Encryption Standard
(AES)
Encryption for Kerberos 5, Internet Engineering Task Force, February
2005.)

The three methods are probably all valid, are allowed and moreover,
are already likely being used - so the author wants to keep them as
they may already have some use in the field and those folks would not
want to change them.

I have no proof of this - but just guessing as sometimes penetration
in an area wins when no weakness is found.

I also would agree that a single and consistent method would have been
preferable - but too late. Also, I haven't studies the three, but
maybe they are also suited to programmable logic versus software
versus assembly methods of implementation.

My 2 cents.

~A

0 new messages