[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IVs, summary of discussion
So I take it that there's general agreement that Mode 1 encryption
(single key DES/CBC, as we've already discussed) can use the IPv4 ID
field as the IV? Remember that we intend this mode to be mandatory in
all IPSEC implementations to provide basic interoperability (only the
implementation is mandatory, not its actual use). So it's really
important that it not be too difficult to add to existing
implementations.
Except, of course, that IPv6 doesn't have the id field.
By the way, in the draft text I sent yesterday to Perry, I specify
that the ID value be left-justified in the 8-byte IV field, with the
remaining 6 bytes set to zero. My thinking is that the first two bytes
of a TCP or an IP header (depending on what is being encapsulated) are
usually constant from one packet to the next. This makes it fairly
unlikely that XORing in the ID field (which is incremented after every
packet) would produce the same plaintext input to DES for more than
one packet. But the ID field could just as easily be placed elsewhere
in the IV, or it could even be repeated 4 times if
necessary. Comments?
In a theoretical sense, I don't like it much, since it means that there's
almost no variability in the first input block, which in turn could aid
cryptanalysts. In a practical sense, I doubt that it matters much against
anyone who can attack DES...
Follow-Ups: