Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: Threat Model

To: SISWG <stds-p1619@IEEE.ORG>
Subject: Re: Threat Model
From: Shai Halevi <shaih@watson.ibm.com>
Date: Tue, 13 Apr 2004 15:23:20 -0400
In-Reply-To: <3356669BBE90C448AD4645C843E2BF28020C8413@xbl.ma.emulex.com>
Organization: IBM
References: <3356669BBE90C448AD4645C843E2BF28020C8413@xbl.ma.emulex.com>
Sender: owner-stds-p1619@listserv.ieee.org
User-Agent: KMail/1.5

On Tuesday 13 April 2004 03:08 pm, Williams, Jim wrote:
> I am certainly sympathetic with the above arguments.
>
> However, EME has some pretty big holes:
> [...]

I wholeheartedly agree. As I wrote before, I think that one should
only use (plain vanilla) EME when absolutely forced to use length-
preserving encryption. And I worry that we don't stress that enough.

> I was specifically talking about the addition of the 64 bit "Block guard"
> which I believe is under discussion in T11.  Perhaps someone can be more
> specific here.

So maybe I don't understand what you mean by a "Block guard". I
thought you were referring to additional 64 bits that are attached
to every sector, and are checked at decryption time. This is just
an authentication tag. Is "Block guard" something else?

> [...]
> As such, the requirement is that any modification of the data (other than
> replay) results in a probability no more than 2^-64 that the result
> will pass the block guard check.  This is a potentially easier requirement
> to meet that the requirement that the decrypted data look random.

Well, formally speaking it is not (but it would be a weaker if you
replace 2^{-64} with, say, 2^{-63}).

-- Shai

References:
- RE: Threat Model
  - From: Williams, Jim

Prev by Date: RE: Threat Model
Next by Date: Re: A revised 'Key Backup Format' document
Prev by thread: RE: Threat Model
Next by thread: RE: Threat Model
Index(es):
- Date
- Thread