[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Internet Protocol Security Protocol (ipsec)



	 >pesdue-random seed value, but it fails to provide unpredictable error
	 >propogation, an important feature in support of detecting modificatio
	n

	 If everyone else on this list is familiar with the phrase "unpredictab
	le
	 error propogation" then obviously I'm a bit behind. However the only
	 way to learn on an IETF list is to make a fool of yourself. It's worke
	d
	 for me in the past!

	 Let me guess. Unpredictable error propogation means that if someone 
	 changes a bit in a packet then the decrypted stream will not just
	 be temporarily wrong but will stay completely wrong from then on.
	 This increases the chance that the underlying process will die
	 rather than do something subtly wrong.

No, that's not what it means.  The problem with OFB mode is that the
attacker can control what the changes are in the decrypted plaintext.
With CBC, the enemy can scramble certain fields, but without any ability
to dictate the final contents.

Let me be more precise.  OFB works as follows:

	DES[n] = E(K,DES[n-1])
	C[n] = P[n] XOR DES[n]

That is, DES is run in a feedback loop, always in encrypt mode.  A
block of ciphertext is formed by XORing a block of this DES output
with a block of plaintext.  Decryption is done by generating the same
DES output stream -- still running DES in encrypt mode -- and XORing it
with the ciphertext.

Clearly, if I invert bit 17 of the ciphertext, I've inverted bit 17
of the decrypted plaintext.  Similarly, if the enemy knows that a
particular packets is from host 12.34.56.78, he or should could construct
the appropriate XOR pattern to make it appear as if the packet were from
87.65.43.21.

Yes, in theory it's possible to add a checksum.  But OFB mode is generally
employed when encrypting asynchronous streams, which makes checksumming a
bit difficult.

CBC mode is different.  Encryption is done by 

	C[n] = E(K, P[n] XOR C[n-1])

and decryption is

	P[n] = D(K, C[n]) XOR C[n-1]

An enemy who garbled block C[n-1] could, in fact, introduce a predictable
error into the decryption of P[n], but only at the expense of totally
garbling P[n-1].

Let me recommend the discussion of encryption modes in

@book{daviesprice,
   author = {Donald W. Davies and Wyn L. Price},
   edition = {second},
   publisher = {John Wiley \& Sons},
   title = {Security for Computer Networks},
   year = {1989}
}

It discusses all of this, and more.  I'll oversimplify by saying that for
general use, CBC is best for block encryption, and OFB is best for
stream encryption.


		--Steve Bellovin