[Ach] The sad story of lonely AES-CTR

robin.balean at a-trust.at robin.balean at a-trust.at
Wed Dec 18 15:51:09 CET 2013 

It seems that there are (were?) cipher suites that use AES CTR rather than AES CBC:  http://tools.ietf.org/html/draft-ietf-tls-ctr-01

However this draft is from 2006 whereas GCM became a NIST standard in 2008.  It may be that these suites were originally considered in the draft but then replaced with GCM once the standard came out.

Robin

-----Ursprüngliche Nachricht-----
Von: Aaron Zauner [mailto:azet at azet.org] 
Gesendet: Mittwoch, 18. Dezember 2013 15:34
An: Robin Balean; ianG
Cc: ach at lists.cert.at List Mailing
Betreff: Re: [Ach] The sad story of lonely AES-CTR


On 18 Dec 2013, at 15:23, <robin.balean at a-trust.at> <robin.balean at a-trust.at> wrote:

> This is an interesting paper and actually they give the answer to your question on page 5.  In fact GCM is just CTR mode with Galois Hash for authentication.
I'm aware of that. A quick peek on wikipedia will tell you that as well :)

>  It doesn't say why AES-CTR with other MAC algorithms are not supported.  
I guess I'll have to ask someone involved with the TLS WG. It's not that they are not possible. They are simply not supported in the TLS standard (you can use them in other protcols, like SSH per default for example). HPN-SSH uses aes-ctr + window scaling and a couple of other tricks to achieve extremely good performance for data transfers. If you are a FreeBSD user: they switched to HPN-SSH a while ago. A lot of HPC sites run HPN-SSH on linux as well.

> Nevertheless they do state on page 30: 
> "AES-GCM is the best performing Authenticated Encryption combination among the NIST standard options (esp. compared to using HMAC SHA-1)"

What they mean is not AES-CTR-SHA1 but AES-SHA1 - if I understand that correctly (which I suppose means some other, non parallelizable block cipher mode, right?).
They state AES-CTR explicitly every time.

The big thing about (galois) counter mode is that it's parallelizable. Which most other block cipher modes are not. Still I don't see why there is no AES-CTR option in TLS ciphersuites.

@ian, Do you know anything about that?

Aaron

More information about the Ach mailing list