risks of MACs associated with packets

[perry@imsi.com (Perry E. Metzger)]

A small serious question about message authenticators in the ESP (not
the AH!) environment.

Now, we all seem to be pretty happy with keyed hashes as
authenticators -- but we are using no initialization vectors on these
things. That means that the odds of two identical payload messages
having identical authenticators is very high (especially since the
only part of the packets likely to vary is the Ident field in the IPv4
packet, which is very short -- in an IPv6 packet no portion would vary
at all!)

This makes for the following question: should we be 

1) adding initialization vectors to our authenticators? (I vote no).
2) placing our authenticators in the ESP under protection of the
   crypto algorithm? (Might make for extra crypto work.)
3) Authenticating the cyphertext instead of the cleartext?
4) something else?

I vote for 2 or 3, with my current leaning to 3 since its somewhat
ligher weight. Of course, 2 has the nice property that before they can
even start to attack your authenticator they have to break your
cipher, but of course in 3 it might be hard for them to fake you out
for long even if they do manage to fake authenticators on you. The
issues merit discussion.

In either case, we have to use different keys for our keyed hashes
from the ones our ciphers are using or we make cryptanalysis just a
bit too easy for my tastes (any comments on that?)...

Perry

---

Follow-Ups:

• Re: risks of MACs associated with packets
• From: "Donald E. Eastlake 3rd (Beast)" <dee@skidrow.tay.dec.com>
• Re: risks of MACs associated with packets
• From: Phil Karn <karn@qualcomm.com>

---

• Prev by Date: SHA + generic auth specs? (was Re: AH-MD5)
• Next by Date: Re: risks of MACs associated with packets
• Prev by thread: SHA document
• Next by thread: Re: risks of MACs associated with packets
• Index(es):
  • Main
  • Thread