[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to authenticate ESP

To: ipsec@ans.net
Subject: Re: How to authenticate ESP
From: "William Allen Simpson" <bill.simpson@um.cc.umich.edu>
Date: Wed, 1 Feb 95 14:03:34 GMT
Reply-To: bsimpson@morningstar.com

> From: jpp@markv.com
> : From: "Perry E. Metzger" <perry@imsi.com>
> :
> : Right now, I'm still wondering which of two approaches to take in my
> : next draft:
> :
> : 1) [IP Header][SAID][keyed MD5 of whole (encrypted) packet][3DES protected]
> :
> : 2) [IP Header][SAID][[MD5 Hash] 3DES Protected]
> :
> But the second has the potential advantage of being faster.  (Only for
> carefully chosen <non-cryptographic check sum, cypher> pairs like
> <CRC+{{DES,3DES,IDEA...}CFB}>.).  It has the potential disadvantage of
> being in-effective (Bit flipping attacks on <CRC+{...}OFB>).
>
I read the comments about the bit flipping, and as I said, that
scenario is not particularly valid.  A CRC will always detect bit
changes if you stay within its Hamming distance.  The difficulty of
doing this is practically the same as the likelihood of doing it with a
cryptographic hash.  The algorithm is known for both.

 <SAID, DES, protected CRC>

An encrypted CRC (covering the plaintext) at the _end_ will not even be
findable by the attacker to decide if s/he was successful.

No, the only concern that I have is Phil's desire to have a
"lightweight" method of tossing packets before going to the trouble of
decrypting.  I don't hear anyone else who wants to do that.  Seems
people want to do authentication and encryption in parallel.

Bill.Simpson@um.cc.umich.edu

Next by Date: Re: How to authenticate ESP (was risks of MACs)
Next by thread: Re: How to authenticate ESP (was risks of MACs)
Index(es):
- Main
- Thread