Re: IVs, summary of discussion

[smb@research.att.com]

	 So I take it that there's general agreement that Mode 1 encryption
	 (single key DES/CBC, as we've already discussed) can use the IPv4 ID
	 field as the IV? Remember that we intend this mode to be mandatory in
	 all IPSEC implementations to provide basic interoperability (only the
	 implementation is mandatory, not its actual use). So it's really
	 important that it not be too difficult to add to existing
	 implementations.

Except, of course, that IPv6 doesn't have the id field.

	 By the way, in the draft text I sent yesterday to Perry, I specify
	 that the ID value be left-justified in the 8-byte IV field, with the
	 remaining 6 bytes set to zero. My thinking is that the first two bytes
	 of a TCP or an IP header (depending on what is being encapsulated) are
	 usually constant from one packet to the next. This makes it fairly
	 unlikely that XORing in the ID field (which is incremented after every
	 packet) would produce the same plaintext input to DES for more than
	 one packet.  But the ID field could just as easily be placed elsewhere
	 in the IV, or it could even be repeated 4 times if
	 necessary. Comments?

In a theoretical sense, I don't like it much, since it means that there's
almost no variability in the first input block, which in turn could aid
cryptanalysts.  In a practical sense, I doubt that it matters much against
anyone who can attack DES...

---

Follow-Ups:

• Re: IVs, summary of discussion
• From: "Perry E. Metzger" <perry@imsi.com>

---

• Prev by Date: Re: IVs, summary of discussion
• Next by Date: Re: IVs, summary of discussion
• Prev by thread: Re: IVs, summary of discussion
• Next by thread: Re: IVs, summary of discussion
• Index(es):
  • Main
  • Thread