Hi Eric and all, Regardless of the actual record size, each 128-bit block encryption is performed with a unique 128-bit counter which is formed by the 96-bit IV and the 32-bit counter_block value called CB in NIST SP 800-38D under a given key as long as the number of encrypted records is not more than 2^64.
Assuming a user would like to limit the probability of a collision among 128-bit ciphertext-blocks under 1/2^32, the data limit of the ciphertext ( or plaintext) is 2^(96/2) (= 2^48) 128-bit blocks which is 2^64 bytes. Reading the 2nd paragraph of section 5.5, a user might feel that he/she needs to rekey a lot more quicker than he/she needs. Putting an unnecessarily low data limit of 2^24.5 full-size records (2^38.5 bytes) also creates an incorrect negative impression (in my opinion) about GCM. I would like to request the working group to consider to revise the text. Regards, Quynh.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
