SPC-4, 07-449r9: Should we mandate AES-GCM or AES-CBC-HMAC for IKEv2-SCSI

Matt Ball matt.ball at IEEE.org
Mon Oct 15 09:38:58 PDT 2007

Formatted message: <A HREF="r0710150_f.htm">HTML-formatted message</A>

Hi Security Folks,
This is the only comment received so far concerning mandating GCM vs. CBC
for IKEv2-SCSI, and it recommends using CBC.  The current IKEv2-SCSI draft
specifies CBC-HMAC, so we'll keep it that way unless anyone else wants to
defend GCM.
On 10/15/07, Subhash Sankuratripati  wrote:
>  Matt,
> NetApp is against the use of GCM (in 256-bit mode) with the assumption
> that the block size of GCM (per SP 800-38D) is 128 bits.
> Authentication strength unlike Encryption Strength is limited by block
> size. Hence it is our opinion that GCM cannot be used in 256-bit mode of
> operation.
> Thanks,
> -Subhash.
>  ------------------------------
> *From:* * *Matt Ball
> *Sent:* Wednesday, September 19, 2007 5:06 PM
> *To:* t10 <t10 at t10.org>
> *Cc:* David Black
> *Subject:* SPC-4, 07-449r9: Should we mandate AES-GCM or AES-CBC-HMAC for
> Now that we've preliminarily decided to allow both the 128-bit and 256-bit
> columns in IKEv2-SCSI (T10/07-449), the next straw poll for the group is to
> decide which symmetric encryption mode to mandate for IKEv2-SCSI.  The
> choices are as follows:
> a) AES-GCM; or
> GCM is generally faster in both software and hardware implementations.
> CBC-HMAC-SHA is currently FIPS 140-2-approved (SP 800-38A + FIPS 198a +
> 180-2).  However, NIST will likely approve SP 800-38D (GCM) by the time
> IKEv2-SCSI is finished.
> Please check with your crypto dudes and let David Black and me know which
> choice you prefer, and whether this is a strong preference.  I'm hoping we
> can resolve this by the next CAP security conference call, or Vegas at the
> latest.
> --
> Thanks!
> Matt Ball
> 303-717-2717
> http://www.linkedin.com/in/matthewvball

More information about the T10 mailing list