[Ach] The sad story of lonely AES-CTR

Aaron Zauner azet at azet.org
Wed Dec 18 15:56:20 CET 2013

Hi Robin,
On 18 Dec 2013, at 15:51, <robin.balean at a-trust.at> <robin.balean at a-trust.at> wrote:

> It seems that there are (were?) cipher suites that use AES CTR rather than AES CBC:  http://tools.ietf.org/html/draft-ietf-tls-ctr-01
> However this draft is from 2006 whereas GCM became a NIST standard in 2008.  It may be that these suites were originally considered in the draft but then replaced with GCM once the standard came out.
Yeah, thats the paper I refered to in the inital post in this thread :)

I’m just unsure why AES-CTR was never included and can’t seem to find any information on that on the web. I was hoping someone might have more insight into that.
things that come to mind:
	- performance (nope.)
	- security (nope?)
	- politics (quite possible)


> Robin
> -----Ursprüngliche Nachricht-----
> Von: Aaron Zauner [mailto:azet at azet.org] 
> Gesendet: Mittwoch, 18. Dezember 2013 15:34
> An: Robin Balean; ianG
> Cc: ach at lists.cert.at List Mailing
> Betreff: Re: [Ach] The sad story of lonely AES-CTR
> On 18 Dec 2013, at 15:23, <robin.balean at a-trust.at> <robin.balean at a-trust.at> wrote:
>> This is an interesting paper and actually they give the answer to your question on page 5.  In fact GCM is just CTR mode with Galois Hash for authentication.
> I'm aware of that. A quick peek on wikipedia will tell you that as well :)
>> It doesn't say why AES-CTR with other MAC algorithms are not supported.  
> I guess I'll have to ask someone involved with the TLS WG. It's not that they are not possible. They are simply not supported in the TLS standard (you can use them in other protcols, like SSH per default for example). HPN-SSH uses aes-ctr + window scaling and a couple of other tricks to achieve extremely good performance for data transfers. If you are a FreeBSD user: they switched to HPN-SSH a while ago. A lot of HPC sites run HPN-SSH on linux as well.
>> Nevertheless they do state on page 30: 
>> "AES-GCM is the best performing Authenticated Encryption combination among the NIST standard options (esp. compared to using HMAC SHA-1)"
> What they mean is not AES-CTR-SHA1 but AES-SHA1 - if I understand that correctly (which I suppose means some other, non parallelizable block cipher mode, right?).
> They state AES-CTR explicitly every time.
> The big thing about (galois) counter mode is that it's parallelizable. Which most other block cipher modes are not. Still I don't see why there is no AES-CTR option in TLS ciphersuites.
> @ian, Do you know anything about that?
> Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131218/7fad5b16/attachment.sig>

More information about the Ach mailing list