[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on a basic encryption mode



Phil,

In response to your questions:

	- I think CBC is a fine mode for DES, triple DES, etc.  The
last byte pad length trick has been codified in other proposals, but
everyone should realize that it means that sometimes you will add 8
bytes, because the original packet was an integral multiple of 8 bytes
already and you need to make room for the pad count.  With the IP next
protocol field there too, sometimes you will need to add 9 bytes.  

	- I think that the option to use crypto hardware is worth
preserving and the lack of license requirements for DES, on a
worldwide basis, may make it attractive for many folks.  (DES was
patented in the U.S., by IBM, but it granted royalty free license as a
quid pro quo of DES being adopted as a FIPS.) 

	- My experience with writing software implementations of DES
suggested that the initial permutation and its inverse do not really
take much time, and thus the performance savings are not all that
great.  (Our implementation of IP or IP-inverse, back in 1978, used 8
table lookups, 8 ORs, 7 rotates, and a few ANDs.  I believe better
implementations are availabel today.)  One would loose hardware
compatability if these operations were omitted.  Imagine a typical
IPSP association from a laptop to a router at a site, where the router
may have hardware assist to enable it to processes many associations.
That sort of scenario motivates use of an algorithm that is available
in hardware.

	- As for per-packet IVs, the argument about the IP unique ID
field may be OK for IP encapsulation, but when a transport protocol is
directly above IPSP this argument cannot be used.  Also, use of some
hardware may be adversely affected by the need to process the first
block in ECB mode (no IV), then switch over to CBC for the remainder
of the packet.  However, FIPS 81 does permit a fixed IV for a
"session" in CBC mode, transmitted during session establishment and
integrity protected.  Thus use of the same IV for every packet is
consistent with this FIPS and would avoid the per-packet overheard you
are concerned about.


Steve


References: