[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
How to authenticate ESP (was risks of MACs)
>1)[IP Header][SAID][keyed MD5 of whole (encrypted) packet][3DES protected area]
>
>2)[IP Header][SAID][[MD5 Hash] 3DES Protected Area]
I, too, vote for option 1.
Few reasons:
* Security. Option 1 is more secure (modulo unknown weaknesses of key-ed MD5).
Using independent keys for authentication and encryption is the
right approach as learned from many failures caused by trying to "save"
the authentication key (See, e.g., the papers
by Jueneman, Matyas and Meyer, "Message Authentication", IEEE Comm.
Magazine, Vol 23, No.9, 9/85, pp. 29-40, and the more recent by
Stubblebine and Gligor in Oakland Conference, 1992.)
* Independence of functions. One can independently change the
specific encryption and authentication functions in option 1,
while in option 2 it requires a re-analysis of interaction
between the two functions (e.g. if one changes the CBC to
stream-cipher mode, the authentication in option 1 is completely
lost, at least, against known plaintext; BTW, even if you encrypt
your payload there may be somebody that legitimately knows the
contents but is still interested to attack the authentication).
Moreover,
* Dependence of authentication on encryption strength.
WHile in the above particular proposal (example?) by Perry
strong encryption is used, 3DES, people may use
the same scheme (for compatibility) even when applying less secure ciphers
(for efficiency, export restrictions, etc). It is not a good idea to reduce
the strength of the authentication (e.g. 128 bits) to that of encryption
(e.g., 56 bits) as it happens in option 2.
* Option 1 is more robust. In option 2 (regular MD5 hash encrypted), if the
authenticator is moved to the end of the information (which is desirable
if you can perform encryption and authentication in parallel, e.g. in h/w),
then the scheme is susceptible to attacks that do not (necessarily) apply
when the authenticator is positioned at the beginning.
* Option 1 has the advantage, if MD5 applied to the ciphertext, of
checking integrity before doing decryption (as noticed by many before).
On the other hand, by applying the authentication to the plaintext
one gets assurance of correct decryption.
Hugo