[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
How to authenticate ESP (was risks of MACs)
smb@research.att.com says:
> But even if computation is the same, unencyrpting and then
> authenticating is at least a factor of two more work.
>
> That's far from clear to me. If both the plaintext and the checksum are
> encrypted, you can probably use a much weaker algorithm than a cryptographic
> hash function, I'd think. Or am I missing some attacks?
Yes; Colin noted that you can do bit-flipping attacks against CRCs,
for instance, that are quite effective if you have access to a DES IV
or if the cipher is something like DES-OFB or RC4.
Right now, I'm still wondering which of two approaches to take in my
next draft:
1) compress the AH and ESP together under a single ESP SAID; you end
up with something like (using MD5 and 3DES for example)...
[IP Header][SAID][keyed MD5 of whole (encrypted) packet][3DES protected area]
2) place an ordinary cryptographic hash of the invariant parts
pre-encryption packet (unkeyed or keyed? unkeyed means brute force
attackers get an automated way to know when they are right, but the
TCP/UCP checksum probably gives them that anyway) inside the protected
area, i.e.
[IP Header][SAID][[MD5 Hash] 3DES Protected Area]
Opinions, folks? Speed is pretty similar in both cases, the first does
a keyed checksum which is (very slightly) slower; the second has more
to DES. If the second is done unkeyed, the first requires more keying
material. The second may save some bytes of padding in architectures
that need padding when SHA or similar algorithms are in use.
Frankly, I don't have enough of a reason to pick one over the other to
write a document immediately without some comment.
Any ideas, folks? PLEASE?
(Yes, I know we came up with some answers in San Jose, but we had
virtually no discussion about it or thought on the matter... I think
the question is harder than we made it out to be.)
Perry
Follow-Ups:
References: