[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
draft-ietf-ipsec-esp-des-cbc-00.txt
Network Working Group P Metzger
Internet Draft W A Simpson
expires in six months January 1995
The ESP DES-CBC Transform
draft-ietf-ipsec-esp-des-cbc-00.txt
Status of this Memo
This document is a submission to the IP Security Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the ipsec@ans.net mailing list.
Distribution of this memo is unlimited.
This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months, and may be updated, replaced, or obsoleted by other documents
at any time. It is not appropriate to use Internet Drafts as
reference material, or to cite them other than as a ``working draft''
or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the internet-drafts Shadow
Directories on:
ftp.is.co.za (Africa)
nic.nordu.net (Europe)
ds.internic.net (US East Coast)
ftp.isi.edu (US West Coast)
munnari.oz.au (Pacific Rim)
Abstract
This document describes the DES-CBC security transform for the
Encapsulating Security Payload (ESP).
Troublemakers expires in six months [Page 1]
DRAFT ESP DES-CBC January 1995
1. Introduction
The Encapsulating Security Payload (ESP) [1] provides confidentiality
and integrity by encrypting the data to be protected.
This specification describes the ESP use of the Cipher Block Chaining
(CBC) mode of the US Data Encryption Standard (DES) algorithm. DES
is described is several US Government publications [2, 3, 4, 5].
A recent book also provides information on DES [6]. At least one
hardware implementation of DES-CBC can encrypt or decrypt at about 1
Gbps [6, p. 231].
Conformance with ESP requires that this Security Transform MUST be
implemented.
1.1. Keys
The secret DES key shared between the communicating parties is 64
bits long. This key consists of a 56-bit quantity used by the DES
algorithm, and 8 parity bits arranged such that one parity bit is the
least significant bit of each octet.
1.2. Initialization Vector
This mode of DES requires an Initialization Vector (IV) that is 8
octets in length.
Each datagram contains its own DES IV. Including the IV in each
datagram ensures that decryption of each received datagram can be
performed, even when other datagrams are dropped, or datagrams are
re-ordered in transit.
The method for selection of the IV values is implementation
dependent.
Note: A common technique is simply a counter, beginning with a
randomly chosen value. Other implementations also exhibit
unpredictability, usually through a pseudo-random number
generator. Care should be taken that the periodicity of the
number generator is long enough to prevent repetition during the
lifetime of the session key.
Troublemakers expires in six months [Page 1]
DRAFT ESP DES-CBC January 1995
1.3. Data Size
The DES algorithm operates on blocks of 8 octets. This often
requires padding after the end of the unencrypted payload data.
Both input and output result in the same number of octets, which
facilitates in-place encryption and decryption.
On receipt, if the length of the data to be decrypted is not an
integral multiple of 8 octets, then an error is indicated. The
datagram is discarded, and an appropriate ICMP message is returned.
The failure SHOULD be recorded in the system or audit log, including
the cleartext values for the SAID, date/time, Source, Destination,
and other identifying information.
2. Payload Format
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Security Association Identifier (SAID) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Initialization Vector (IV) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Payload Data ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... Padding | Pad Length | Data Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Security Association Identifier (SAID)
A 32-bit value identifying the Security Association for this
datagram. If no Security Association has been established, the
value of this field is zero.
Initialization Vector
The size of this field is variable, though for any given Security
Association it has a particular known size. Its position and size
is constant for all DES-CBC datagrams of the same SAID and IP
Destination.
Troublemakers expires in six months [Page 2]
DRAFT ESP DES-CBC January 1995
This field is considered to be transparent, though most users will
not be able to make sense of its contents.
The field may be longer or shorter than the 64-bits used by DES,
in multiples of 32-bits. This allows alignment of the Encrypted
Data for in-place decryption.
All conformant implementations MUST correctly process a 64-bit
field size.
When the size is negotiated to 32-bits, the inverse of the 32-bits
is appended to form a 64-bit value.
When the size is negotiated to 96-bits or greater, the alignment
of the 64-bit value within this field is negotiated by a variable
parameter. Unused octets are filled with unspecified
implementation dependent values.
Payload Data
The size of this field is variable. This field is opaque.
Prior to encryption and after decryption, the contents of this
field begins with an entire IP datagram (IP-Mode), or an IP
Payload header (Transport-Mode).
Padding
The size of this field is variable. This field is opaque.
Prior to encryption, it is filled with unspecified implementation
dependent values.
After decryption, it MUST be ignored.
Pad Length
This field indicates the size of the Padding field. It does not
include the Pad Length and Data Type fields. The value typically
ranges from 0 to 7, but may be up to 255 to permit hiding of that
actual data length.
This field is opaque. That is, the value is set prior to
encryption, and is examined only after decryption.
Data Type
This field indicates the contents of the Payload Data field, using
Troublemakers expires in six months [Page 3]
DRAFT ESP DES-CBC January 1995
the IP Protocol/Payload value. Up-to-date values of the IP
Protocol/Payload are specified in the most recent "Assigned
Numbers" RFC [7].
This field is opaque. That is, the value is set prior to
encryption, and is examined only after decryption.
For example, when encrypting an entire IP datagram (IP-Mode),
this field will contain the value 4, which indicates IP-in-IP
encapsulation.
Security Considerations
Users need to understand that the quality of the security provided by
this specification depends completely on the strength of whichever
encryption algorithm that has been implemented, the correctness of
that algorithm's implementation, the security of the key management
mechanism and its implementation, the strength of the key [8], and
upon the correctness of the ESP and IP implementations in all of the
participating systems.
It is known that DES is an algorithm approaching the end of its
useful lifetime. As of the writing of this document, Biham and
Shamir [9] have demonstrated a differential cryptanalysis based
chosen-plaintext attack requiring 2^47 plaintext-ciphertext pairs,
and Mitsuru Matsui [10] has demonstrated a linear cryptanalysis based
known-plaintext attack requiring only 2^43 plaintext-ciphertext
pairs. Although these attacks are not considered practical, they
must be taken into account.
More disturbingly, Wiener [11] has shown the design of a DES cracking
machine costing $1 Million that can crack one key every 3.5 hours.
This is an extremely practical attack, and it is suggested that DES
is not a good encryption algorithm for the protection of even
moderate value in the face of such equipment. Triple DES is probably
a better choice for such purposes.
Acknowledgements
The original text of this specification was derived from work by Ran
Atkinson for the SIP, SIPP, and IPv6 Working Groups.
The use of DES for confidentiality is closely modeled on the work
done for SNMPv2 [12].
Troublemakers expires in six months [Page 4]
DRAFT ESP DES-CBC January 1995
References
[1] Randall Atkinson, Perry Metzger, William Simpson,
"Encapsulating Security Protocol (ESP)", work in progress.
[2] US National Bureau of Standards, "Data Encryption Standard",
Federal Information Processing Standard (FIPS) Publication 46,
January 1977.
[3] US National Bureau of Standards, "Data Encryption Standard",
Federal Information Processing Standard (FIPS) Publication 46-
1, January 1988.
[4] US National Bureau of Standards, "DES Modes of Operation"
Federal Information Processing Standard (FIPS) Publication 81,
December 1980.
[5] US National Bureau of Standards, "Guidelines for Implementing
and Using the Data Encryption Standard", Federal Information
Processing Standard (FIPS) Publication 74, April 1981.
[6] Schneier, B., "Applied Cryptography", John Wiley & Sons, New
York, NY, 1994. ISBN 0-471-59756-2
[7] Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, RFC
1700, USC/Information Sciences Institute, October 1994.
[8] Carroll, J.M., and Nudiati, S., "On Weak Keys and Weak Data:
Foiling the Two Nemeses", Cryptologia, Vol. 18 No. 23 pp. 253-
280, July 1994.
[9] Biham, E., and Shamir, A., "Differential Cryptanalysis of the
Data Encryption Standard", Berlin: Springer-Verlag, 1993.
[10] Matsui, M., "Linear Cryptanalysis method dor DES Cipher,"
Advances in cryptology -- Eurocrypt '93 Proceedings, Berlin:
Springer-Verlag, 1994.
[11] Wiener, M.J., "Efficient DES Key Search", School of Computer
Science, Carleton University, Ottawa, Canada, TR-244, May 1994.
Presented at the Rump Session of Crypto '93.
[12] Galvin, J., and McCloghrie, K., "Security Protocols for Version
2 of the Simple Network Management Protocol (SNMPv2)", RFC-
1446, DDN Network Information Center, April 1993.
Troublemakers expires in six months [Page 5]
DRAFT ESP DES-CBC January 1995
Author's Address
Questions about this memo can also be directed to:
Randall Atkinson
Information Technology Division
Naval Research Laboratory
Washington,
DC 20375-5320
USA
Telephone: (DSN) 354-8590
Fax: (DSN) 354-7942
<atkinson@itd.nrl.navy.mil>
Perry Metzger
Piermont Information Systems Inc.
160 Cabrini Blvd., Suite #2
New York, NY 10033
perry@piermont.com
William Allen Simpson
Daydreamer
Computer Systems Consulting Services
1384 Fontaine
Madison Heights, Michigan 48071
Bill.Simpson@um.cc.umich.edu
bsimpson@MorningStar.com
Troublemakers expires in six months [Page 6]
DRAFT ESP DES-CBC January 1995
Table of Contents
1. Introduction .......................................... 1
1.1 Keys ............................................ 1
1.2 Initialization Vector ........................... 1
1.3 Data Size ....................................... 2
2. Payload Format ........................................ 2
SECURITY CONSIDERATIONS ...................................... 4
ACKNOWLEDGEMENTS ............................................. 4
REFERENCES ................................................... 5
AUTHOR'S ADDRESS ............................................. 5