Re: IVs, summary of discussion

[smb@research.att.com]

	   Last Monday I gave an MBONE talk on the IPv6 security stuff as part
	 of the open IPv6 Design Review.  During that talk, Jeff Schiller
	 suggested that DES OFB mode might be preferable since IP can both lose
	 and re-order packets.  I'm wondering what folks on this list think of
	 that idea instead of DES CBC mode.  

I fail to see Jeff's point -- why should those properties of IP mean
that OFB is better?  If nothing else, each packet would be encrypted
separately with CBC, so the interpacket properties don't matter.  (They
would matter if we were trying to use a computed IV for each packet,
since then the ordering and delivery guarantees would be very critical.
Even then, OFB wouldn't help.  OFB would work on top of TCP, but that's
not what we're talking about.)

Let me give a concrete -- though possibly not realistic -- example
of how OFB might be totally unacceptable.  Suppose that we decide
that we don't need a separate checksum, since the TCP checksum will
detect any modifications.  A key property of OFB is that the attacker
can make predictable changes to the plaintext.  I suspect that
corresponding changes could be made to the very simple TCP checksum.

---

• Prev by Date: Re: IVs, summary of discussion
• Next by Date: Re: IVs, summary of discussion
• Prev by thread: Re: IVs, summary of discussion
• Next by thread: Re: IVs, summary of discussion
• Index(es):
  • Main
  • Thread