[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: response to Last Call on: IP Authentication using Keyed MD5



  > There is already an explicit
  > reference in the document to the fact that under some circumstances
  > integrity can be breeched...
I'm not sure what you're trying to say, but the introduction of your
document, AND the next higher-level document (draft-ietf-ipsec-esp-01.txt), 
AND the next higher-level document after that (draft-ietf-ipsec-arch-02.txt) 
ALL maintain that the encryption mechanism provides integrity.  Either
DES CBC encryption is architecturally non-compliant (and so the mechanism
has to be changed), or else all of the above statements about the encryption 
buying you integrity need to be changed.  (I've said this enough times to 
turn blue....)

  > As for counters, assuming that DES does in fact work as advertised,
  > flipping one bit in the IV should flip, on average, 50% of the output
  > bits. Do you have evidence that this is insufficient for purposes of
  > disguising identical initial blocks, which is all an IV does in life?
Maybe you don't understand the purpose of the IV: properly used in CBC 
encryption the method achieves semantic security; improperly used, it 
does not.  A one-line proof of this: simply note that if the IV takes 
on values <0>, <1>, ...  then the adversary can distinguish the encryption of 
message <0> followed by the encryption of message <0>   FROM   the 
encryption of message <0> followed by the encryption of message <1>.
(Here <i> means the 64-bit encoding of integer i).

(Perry - further discussion on these particular issues need not involve 
the entire mailing list.)


Phil