[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Granularity of authentication in swIPe




Theodore Ts'o says:
> 	   As Ted Ts'o pointed out in a private message, the use of the
>    LEAF with SKIPJACK is a good example where an "IV" cannot be just a
>    sequence number.  Certainly you wouldn't want IPSP to not be
>    compatible with FIPS 185 :-)!  SKIPJACK wasn't the example I had in
>    mind, but it is representative of crypto hardware that insists on
>    generating the IV itself, to minimize the possibility of repeating
>    and IV already used under a given key.
> 
[...]
> The sad fact of the matter is that even if FIPS 185 isn't a good reason
> to allow for non-random IV's, my guess is that it's not the only form of
> classified encryption hardware that requires users to use a machine
> generated IV, and we probably should allow for them in our design.

I'll point out that the sequence number need not be used as the IV --
its entirely possible to get away with transmitting the IV in another
manner for such encryption algorithms. Remember that swIPe itself
doesn't specify how such things must be done -- it can change from
encryption algorithm to encryption algorithm. In particular, with an
EES implementation (not something I'd use, but hey, the government is
going to want them) we could assume that the IV gets exchanged with
the LEAF at key setup time and that the sequence number could be used
as a sort of supplementary IV...

Perry


Follow-Ups: References: