[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to authenticate ESP (was risks of MACs)
- To: perry@imsi.com
- Subject: Re: How to authenticate ESP (was risks of MACs)
- From: "Donald E. Eastlake 3rd (Beast)" <dee@skidrow.tay.dec.com>
- Date: Wed, 01 Feb 95 10:33:54 -0500
- Cc: ipsec@ans.net
- In-Reply-To: Your message of "Tue, 31 Jan 95 21:05:20 EST." <9502010205.AA25932@snark.imsi.com>
I'm in favor of approach 1. It may require more key material in the
case where the hash in unkeyed in approach 2 but it is at least some
faster and permits the possibility of entities that can authenticate
but read read packets. (Yes, for keyed MD5 that means they can forge
authentic packets but can't set the unencrypted data from them. But
this is not true for some other possible authentication means and, in
any case, their might be entities you would trust that far.)
Donald
From: "Perry E. Metzger" <perry@imsi.com>
To: smb@research.att.com
Cc: ipsec@ans.net
In-Reply-To: Your message of "Tue, 31 Jan 1995 20:05:32 EST."
<199502010109.AA28305@interlock.ans.net>
Reply-To: perry@imsi.com
X-Reposting-Policy: redistribute only with permission
>
>smb@research.att.com says:
>> But even if computation is the same, unencyrpting and then
>> authenticating is at least a factor of two more work.
>>
>> That's far from clear to me. If both the plaintext and the checksum are
>> encrypted, you can probably use a much weaker algorithm than a cryptographic
>> hash function, I'd think. Or am I missing some attacks?
>
>Yes; Colin noted that you can do bit-flipping attacks against CRCs,
>for instance, that are quite effective if you have access to a DES IV
>or if the cipher is something like DES-OFB or RC4.
>
>Right now, I'm still wondering which of two approaches to take in my
>next draft:
>
>1) compress the AH and ESP together under a single ESP SAID; you end
> up with something like (using MD5 and 3DES for example)...
>
>[IP Header][SAID][keyed MD5 of whole (encrypted) packet][3DES protected area]
>
>2) place an ordinary cryptographic hash of the invariant parts
> pre-encryption packet (unkeyed or keyed? unkeyed means brute force
> attackers get an automated way to know when they are right, but the
> TCP/UCP checksum probably gives them that anyway) inside the protected
> area, i.e.
>
>[IP Header][SAID][[MD5 Hash] 3DES Protected Area]
>
>Opinions, folks? Speed is pretty similar in both cases, the first does
>a keyed checksum which is (very slightly) slower; the second has more
>to DES. If the second is done unkeyed, the first requires more keying
>material. The second may save some bytes of padding in architectures
>that need padding when SHA or similar algorithms are in use.
>
>Frankly, I don't have enough of a reason to pick one over the other to
>write a document immediately without some comment.
>
>Any ideas, folks? PLEASE?
>
>(Yes, I know we came up with some answers in San Jose, but we had
>virtually no discussion about it or thought on the matter... I think
>the question is harder than we made it out to be.)
>
>Perry
Follow-Ups: