[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to authenticate ESP (was risks of MACs)

To: perry@imsi.com, smb@research.att.com
Subject: How to authenticate ESP (was risks of MACs)
From: hugo@watson.ibm.com
Date: Thu, 2 Feb 95 17:26:54 EST
Cc: ipsec@ans.net

>1)[IP Header][SAID][keyed MD5 of whole (encrypted) packet][3DES protected area]
>
>2)[IP Header][SAID][[MD5 Hash] 3DES Protected Area]

I, too, vote for option 1.
Few reasons:

*  Security. Option 1 is more secure (modulo unknown weaknesses of key-ed MD5).
   Using independent keys for authentication and encryption is the
   right approach as learned from many failures caused by trying to "save"
   the authentication key (See, e.g., the papers
   by Jueneman, Matyas and Meyer, "Message Authentication", IEEE Comm.
   Magazine, Vol 23, No.9, 9/85, pp. 29-40, and the more recent by
   Stubblebine and Gligor in Oakland Conference, 1992.)


*  Independence of functions. One can independently change the
   specific encryption and authentication functions in option 1,
   while in option 2 it requires a re-analysis of interaction
   between the two functions (e.g. if one changes the CBC to
   stream-cipher mode, the authentication in option 1 is completely
   lost, at least, against known plaintext; BTW, even if you encrypt
   your payload there may be somebody that legitimately knows the
   contents but is still interested to attack the authentication).
   Moreover,

*  Dependence of authentication on encryption strength.
   WHile in the above particular proposal (example?) by Perry
   strong encryption is used, 3DES, people may use
   the same scheme (for compatibility) even when applying less secure ciphers
   (for efficiency, export restrictions, etc). It is not a good idea to reduce
   the strength of the authentication (e.g. 128 bits) to that of encryption
   (e.g., 56 bits) as it happens in option 2.

*  Option 1 is more robust. In option 2 (regular MD5 hash encrypted), if the
   authenticator is moved to the end of the information (which is desirable
   if you can perform encryption and authentication in parallel, e.g. in h/w),
   then the scheme is susceptible to attacks that do not (necessarily) apply
   when the authenticator is positioned at the beginning.

*  Option 1 has the advantage, if MD5 applied to the ciphertext, of
   checking integrity before doing decryption (as noticed by many before).
   On the other hand, by applying the authentication to the plaintext
   one gets assurance of correct decryption.

Hugo

Prev by Date: comments on Photuris
Next by Date: 64 vs 80 bit strength
Prev by thread: Re: How to authenticate ESP (was risks of MACs)
Next by thread: Draft IPv6 Security API for BSD Sockets
Index(es):
- Main
- Thread