From: Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: GCM / seqiv and SP800-38D
Date: Sun, 1 Mar 2015 21:17:28 +1300
Message-ID: <20150301081728.GA14110@gondor.apana.org.au>
References: <5009281.r2g8PApWDK@tauon>
 <20150228104712.GA7720@gondor.apana.org.au>
 <3241224.tIGo75L0M7@tachyon.chronox.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: linux-crypto@vger.kernel.org
To: Stephan Mueller <smueller@chronox.de>
Return-path: <linux-crypto-owner@vger.kernel.org>
Received: from helcar.apana.org.au ([209.40.204.226]:43192 "EHLO
	helcar.apana.org.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751075AbbCAIRe (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Sun, 1 Mar 2015 03:17:34 -0500
Content-Disposition: inline
In-Reply-To: <3241224.tIGo75L0M7@tachyon.chronox.de>
Sender: linux-crypto-owner@vger.kernel.org
List-ID: <linux-crypto.vger.kernel.org>

On Sat, Feb 28, 2015 at 01:08:03PM +0100, Stephan Mueller wrote:
> Am Samstag, 28. Februar 2015, 23:47:12 schrieb Herbert Xu:
> 
> Hi Herbert,
> 
> > On Thu, Feb 19, 2015 at 07:56:48AM +0100, Stephan Mueller wrote:
> > > In case of rfc4106(gcm(aes)), the IV is 96 bits. Thus, our constructed
> > 
> > > IV looks like:
> > The IV to rfc4106 is 96 bits, but the IV to the underlying gcm
> > is 128 bits so that's what guarantees the uniqueness.
> 
> We have to be careful with the wording here: SP800-38D specifies the 96 bits 
> as the IV (also called the nonce). The additional 32 bit you refer to is the 
> counter for the CTR mode. The complete 128 bit are *not* referred to when 
> SP800-38D speaks about the uniqueness of IVs in section 8.2.1 or 8.2.2.
> 
> Thus, we come back to the 96 bits. And I do not dispute that there is almost 
> zip probability of collisions, all I want to state is that the construction 
> method with seqiv does neither comply with section 8.2.1 nor with 8.2.2. That 
> means, the GCM IV construction currently does not meet the specification of 
> SP800-38D. Furthermore, the authors of SP800-38D currently do not approve of 
> the seqiv construction method.

The 96 bits are guaranteed to be unique for a given key because the
64-bit sequence number is given to us by the IPsec stack which must
guarantee its uniqueness.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt