Hi Security Folks,<br><br>This is the only comment received so far concerning mandating GCM vs. CBC for IKEv2-SCSI, and it recommends using CBC.&nbsp; The current IKEv2-SCSI draft specifies CBC-HMAC, so we&#39;ll keep it that way unless anyone else wants to defend GCM.
<br><br>Thanks,<br>-Matt<br><br><div><span class="gmail_quote">On 10/15/07, <b class="gmail_sendername">Subhash Sankuratripati</b>&nbsp; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">




<div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span>Matt,</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span></span></font>&nbsp;</div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span>NetApp is against the use of GCM (in 256-bit mode) with 
the assumption that the block size of GCM (per SP 800-38D) is 128 
bits.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span></span></font>&nbsp;</div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span>Authentication strength unlike Encryption Strength is 
limited by block size. Hence it is our opinion that GCM cannot be used in 
256-bit mode of operation.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span></span></font>&nbsp;</div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span>Thanks,</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Verdana" size="2"><span>-Subhash.</span></font></div><br>
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b>&nbsp;<b> </b>Matt Ball<br><b>Sent:</b> 
Wednesday, September 19, 2007 5:06 PM<span class="q"><br><b>To:</b> <a href="mailto:t10@t10.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">t10</a><br><b>Cc:</b> 
David Black<br><b>Subject:</b> SPC-4, 07-449r9: Should we mandate AES-GCM or 
AES-CBC-HMAC for IKEv2-SCSI<br></span></font><br></div>
<div><span class="e" id="q_115a423c8f4ed337_3"><div></div>Now that we&#39;ve preliminarily decided to allow both the 128-bit and 
256-bit columns in IKEv2-SCSI (T10/07-449), the next straw poll for the group is 
to decide which symmetric encryption mode to mandate for IKEv2-SCSI.&nbsp; The 
choices are as follows: <br><br>a) AES-GCM; or<br>b) AES-CBC-HMAC-SHA<br clear="all"><br>GCM is generally faster in both software and hardware 
implementations.&nbsp; CBC-HMAC-SHA is currently FIPS 140-2-approved (SP 800-38A 
+ FIPS 198a + FIPS 180-2).&nbsp; However, NIST will likely approve SP 800-38D 
(GCM) by the time IKEv2-SCSI is finished. <br><br>Please check with your crypto 
dudes and let David Black and me know which choice you prefer, and whether this 
is a strong preference.&nbsp; I&#39;m hoping we can resolve this by the next CAP 
security conference call, or Vegas at the latest. <br><br>-- <br>Thanks!<br>Matt 
Ball<br>IEEE SISWG Chair<br>303-717-2717<br><a href="http://www.linkedin.com/in/matthewvball" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.linkedin.com/in/matthewvball</a> 
</span></div></div>
</blockquote></div>