> For instance, the NIST specification for AES and CCM mode (NIST Special > Publication 800-38C) specifically states that you must limit the number > of invocations of the block cipher (specifically AES) to 2^61. Now, I > realize that is an upper bound. But even after removing several orders > of magnitude, that leaves a huge amount of material you can encrypt with > a single key.
phk's point is that encrypting ~2^10 bytes of data with the same key is better than encrypting ~2^40 bytes. While there may be theoretical reasons to believe that you can get away with much more than 2^9, the whole history of crypto is filled with examples of coding systems, once believed to be secure, that were broken because the same key was used for a lot of traffic. phk's fundamental point isn't that you can't get away with encrypting large amounts of data, in theory, but rather that it is more conservative to do less. Both from the point of view of this history and also from the point of view of amount of data that's disclosed should one key be recovered. Others have a differing point of view. History is also littered with strongly held views that turned out to be wrong. Time will tell if either or both of these views is good or not. Warner _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
