[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts...

To: ipsec@ans.net
Subject: Re: Thoughts...
From: Phil Karn <karn@qualcomm.com>
Date: Mon, 1 Aug 1994 20:46:17 -0700
In-Reply-To: <199408020145.VAA11690@asylum.sf.ca.us> (message from *Hobbit* on Mon, 1 Aug 1994 21:45:33 -0400)

Thanks for the helpful remarks. Sounds like hardware DES chips will be
more common sooner than I thought. I'll go bum some more instructions
off my DES code and see if I can push the initial and final
permutations down into the noise.

So the consensus seems to be: standard DES, CBC, padding encoded as
previously described, no per-packet IV (although there could be a
per-SAID IV, I'm not sure how useful this would be given unique keys
per SAID). Anybody got the nroff macros for Internet Drafts?

Perry, I deliberately left off authentication because I want to keep
that separate. I note that you can get a very modest amount of
authentication for free from CBC by simply specifying the pad char
values and checking them when you decrypt. If the padding is wrong,
the PID is invalid or the length byte isn't 0-6, then you toss the
packet. And of course there are the imbedded IP and TCP checksums, if
any, which would be hard to get right given CBC's error propagation
feature.  (Strictly speaking, all this isn't "free" - it comes from
the overhead of CBC).
 
Certainly this is nowhere near as strong as keyed MD5 with a 16 byte
authenticator, but I suspect many will balk at that much overhead on a
slow link. Perhaps our "baseline" authentication mode should use only a
piece of the MD5 output? If so, how much?

Phil

Follow-Ups:

Re: Thoughts...

From: Steve Kent <kent@BBN.COM>

References:

encryption algorithms..

From: *Hobbit* <hobbit@asylum.sf.ca.us>

Prev by Date: encryption algorithms..
Next by Date: Re: SIPP and SKIP. 2 subjects.
Prev by thread: encryption algorithms..
Next by thread: Re: Thoughts...
Index(es):
- Main
- Thread