[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thoughts on a basic encryption mode
Phil Karn says:
> I propose that this basic algorithm be DES with cipher block chaining
> (CBC). Ciphertext produced by this algorithm will always be a
> multiple of 8 bytes long, so padding is necessary. The very last byte
> of the decrypted plaintext contains a value from 0-6 indicating how much
> of this last block should be considered valid data. And the second
> last byte of the last block is the IP protocol field.
I vote for it.
> First, should we use DES as opposed to IDEA? DES has a smaller key and
> is showing signs of age, but it is widely available and avoids patent
> issues (IDEA is patented in the US). DES is also more readily
> available in hardware, though I suspect that the vast majority of
> IPSEC implementations will do it in software.
Due to patent issues I suggest we use DES just for now, and in the [near]
future it's likely we'll see new [stream] algorithm[s] faster than IDEA
and at least as secure. But at least we won't have to worry about
being sued if our implementations end up in a product (:-).
> Second, should we use standard DES, or can we eliminate the initial
> and final permutations? These are widely regarded as having no
> cryptographic value, and eliminating them can improve software
> performance substantially. The only drawback is the loss of direct
> interoperability with "standard" DES in hardware, but such systems
> could always "undo" the permutations in software to remain compatible.
Well, even though those permutations indeed have no cryptographic value,
I'd rather have them in to be 100% compatible with the hardware...
> Third, do we need an explicit IV in every packet?
I'd say - no we don't. The advantages of having it are too small,
compared with the serious expense of adding extra 8 bytes.
--
Regards,
Uri uri@watson.ibm.com acheron!angmar!uri N2RIU
-----------
<Disclamer>
Follow-Ups:
References: