[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: response to Last Call on: IP Authentication using Keyed MD5

To: Phil Rogaway <rogaway@cs.ust.hk>
Subject: Re: response to Last Call on: IP Authentication using Keyed MD5
From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 30 Jun 1995 10:08:58 -0400
Cc: ipsec@ans.net
In-Reply-To: Your message of "Fri, 30 Jun 1995 10:16:55 +0800." <199506300216.KAA13799@cssu55.cs.ust.hk>
Reply-To: perry@imsi.com

Phil Rogaway writes:
>   > There is already an explicit
>   > reference in the document to the fact that under some circumstances
>   > integrity can be breeched...
> I'm not sure what you're trying to say, but the introduction of your
> document, AND the next higher-level document (draft-ietf-ipsec-esp-01.txt), 
> AND the next higher-level document after that (draft-ietf-ipsec-arch-02.txt) 
> ALL maintain that the encryption mechanism provides integrity.

Phil, do I have to spell it out yet again?

ESP *does* potentially provide integrity. Thats why the language is in
there. ESP is *not* the "encryption mechanism". The architecture
defines it simply as the the way to encapsulate opaque IPSP
packets. Thats why the "E" doesn't stand for "encrypton". One is free
to define an ESP transform that combines integrity and privacy. Thats
why the documents say what they do.

> Either DES CBC encryption is architecturally non-compliant (and so
> the mechanism has to be changed), or else all of the above
> statements about the encryption buying you integrity need to be
> changed.

There is a third possibility, which I will leave to people's imaginations.

>   > As for counters, assuming that DES does in fact work as advertised,
>   > flipping one bit in the IV should flip, on average, 50% of the output
>   > bits. Do you have evidence that this is insufficient for purposes of
>   > disguising identical initial blocks, which is all an IV does in life?
> Maybe you don't understand the purpose of the IV: properly used in CBC 
> encryption the method achieves semantic security; improperly used, it 
> does not.

What is "semantic security"? This is a term I have yet to hear in many
years of work in the field of cryptography. Doubtless its just my
ignorance at play. I always thought that an IV was just a way to
assure identical plaintext doesn't turn to identical cyphertext. Silly
me.

> A one-line proof of this: simply note that if the IV takes 
> on values <0>, <1>, ...  then the adversary can distinguish the encryption of
> message <0> followed by the encryption of message <0>   FROM   the 
> encryption of message <0> followed by the encryption of message <1>.
> (Here <i> means the 64-bit encoding of integer i).

What are you talking about here? Pardon me, but I don't understand
your "one line proof".

> (Perry - further discussion on these particular issues need not involve 
> the entire mailing list.)

Thank you. In the future, feel free to send private mail.

Perry

Prev by Date: Comments on the IPSEC documents
Next by Date: response to Last Call on: IP Authentication using Keyed MD5
Prev by thread: Re: response to Last Call on: IP Authentication using Keyed MD5
Next by thread: response to Last Call on: IP Authentication using Keyed MD5
Index(es):
- Main
- Thread