[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Granularity of authentication in swIPe
- To: kent@BBN.COM
- Subject: Re: Granularity of authentication in swIPe
- From: Phil Karn <karn@qualcomm.com>
- Date: Fri, 17 Jun 1994 12:08:43 -0700
- Cc: ipsec@ans.net
- In-Reply-To: <199406171618.JAA09551@qualcomm.com> (message from Steve Kent on Fri, 17 Jun 94 12:15:13 -0400)
>the major reason I was not enamored of the proposal originally. In
>some contexts per-packet IVs might have to be random or have some
>other structure that would make for poor sequence numbers. I think it
I'd be interested in some examples. I can't think of an algorithm or
encryption mode where sequential numbers couldn't serve as IVs, but my
experience is probably more limited than yours. I have considered only
block ciphers with CBC-like modes (e.g., DES and IDEA) and key stream
generators (like keyed MD5) and sequential numbers seem appropriate as
IVs for both. Indeed, unique IVs are absolutely essential for a
keystream generator to avoid generating the same key stream
twice. Using sequential numbers is one way to ensure uniqueness. Of
course you have to be careful when you lose this sequential state, but
in the present protocol I don't see a problem as long as you also blow
away and reestablish the SAID and keys from truly random data whenever
this happens.
Phil
Follow-Ups: