Re: replay attacks

[rogaway@theory.lcs.mit.edu (Phillip Rogaway)]

Hi Ran,

 I would be willing to write up a privacy+integrity
 transform based on DES + some flavor of keyed MD5. 
 My sense has been that these goals are best kept 
 architecturally orthogonal (i.e., one would use ESP + AH 
 protection if you expect privacy + authenticity), yet
 there may be some benefits (e.g., slightly smaller total 
 packet length) if one treats the privacy + authenticity transform 
 as a single composite one.

 Regarding replay detection: I suggest that, 
 rather than use as a sequence number the 16-bit reserved space of 
 the AH header (which would be a bit spare!) replay detection can 
 be handled by choosing a MAC mechanism which directly provides
 that service.  Indeed a 96-128 bit MAC has ample space to 
 directly incorporate replay detection, and one can "generically" 
 modify any (ordinary) Message Authentication mechanism into a new
 one which protects against replays.  The cost is making the 
 MAC some 32-64 bits longer, say.


Phil

---

Follow-Ups:

• Re: replay attacks
• From: Sean O'Malley <sean@cs.arizona.edu>
• Re: replay attacks
• From: Germano Caronni <caronni@tik.ee.ethz.ch>

---

• Prev by Date: Ran's emails
• Next by Date: Re: replay attacks
• Prev by thread: Re: replay attacks
• Next by thread: Re: replay attacks
• Index(es):
  • Main
  • Thread