[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions

I think the key setup time can be considerably reduced, down by the
factor of 20 that you expect.  But these numbers in themselves aren't
necessarily disturbing.  Having all the world's computers spending all
weekend cracking weekday session keys wouldn't really be cause for any
individual to worry; we fear drive-by shootings but few of us wear
bullet-proof vests.

However, there is the prospect of generating a table of encryptions of
a known prefix block.  Suppose all datagrams began with the same
bytes, then one table would suffice to break all datagrams.  Now, the
datagrams don't begin with common plaintext, but the attack might
still be feasible if a single address were targeted, for example.

Now, I can well believe that 40 bits is Good Enough for many purposes,
but it seems to me that it would be easily strengthened if salt were added
to the datagrams.  Suppose you choose 16 bits of salt prefix, hash that
with 40 bits of key, and select 56 of the hash to be the session key.
This could well be acceptable to the majority users.  

On the other hand, user reaction to the Pentium divide bug might well be
a counterexample to the idea that Good Enough would be generally acceptable.
Hard to say.

Follow-Ups: References: