[Ach] The sad story of lonely AES-CTR

Aaron Zauner azet at azet.org
Wed Dec 18 15:34:03 CET 2013

On 18 Dec 2013, at 15:23, <robin.balean at a-trust.at> <robin.balean at a-trust.at> wrote:

> This is an interesting paper and actually they give the answer to your question on page 5.  In fact GCM is just CTR mode with Galois Hash for authentication.
I’m aware of that. A quick peek on wikipedia will tell you that as well :)

>  It doesn't say why AES-CTR with other MAC algorithms are not supported.  
I guess I’ll have to ask someone involved with the TLS WG. It’s not that they are not possible. They are simply not supported in the TLS standard (you can use them in other protcols, like SSH per default for example). HPN-SSH uses aes-ctr + window scaling and a couple of other tricks to achieve extremely good performance for data transfers. If you are a FreeBSD user: they switched to HPN-SSH a while ago. A lot of HPC sites run HPN-SSH on linux as well.

> Nevertheless they do state on page 30: 
> "AES-GCM is the best performing Authenticated Encryption combination among the NIST standard options (esp. compared to using HMAC SHA-1)”

What they mean is not AES-CTR-SHA1 but AES-SHA1 - if I understand that correctly (which I suppose means some other, non parallelizable block cipher mode, right?).
They state AES-CTR explicitly every time.

The big thing about (galois) counter mode is that it’s parallelizable. Which most other block cipher modes are not. Still I don’t see why there is no AES-CTR option in TLS ciphersuites.

@ian, Do you know anything about that?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131218/1fb495b5/attachment.sig>

More information about the Ach mailing list