[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks

To: Theodore Ts'o <tytso@MIT.EDU>
Subject: Re: replay attacks
From: smb@research.att.com
Date: Wed, 13 Sep 95 20:58:10 EDT
Cc: "David A. Wagner" <dawagner@phoenix.Princeton.EDU>, ipsec@ans.net

	    The sequence number must be big enough that no packet using
	    it can be replayed during the lifetime of a key.  32 bits
	    is demonstrably insufficient; if my arithmetic is right, at
	    FDDI speeds such a counter would cycle in just a few
	    hours.  48 bits would suffice, though if line speeds get
	    much above 10 giabits/second we may have to cut our key
	    lifetime a bit.

	 At the risk of having people who worry about low speed lines
	 run out and lynch me (although I could imagine some creative
	 header compression algorithms could be done if necessary),
	 would it perhaps be a good idea to go to 64 bits for the
	 sequence number?  This has the further advantage of keeping
	 things 32-bit aligned, which I thought was something that
	 preferred to do, at least for IPv6.  For IPV4, of course, this
	 isn't an issue.

It's certainly reasonable, but I won't comment on that without further
analysis.  I wanted to bound the size from below; it might be that clever
packet layout might find a way to use 48 bits, while 64 would cause another
boundary jump.

One point I inadvertently omitted from my last message:  given my stated
preference for an algorithm-independent replay counter, I don't have
any objection to a particular algorithm using the counter field for
its own purposes, such as the IV.  But whether or not that actually
works in a given case has to be analyzed for that algorithm, given its
own particular characteristics.

Prev by Date: Re: replay attacks
Next by Date: Photuris, once more
Prev by thread: Re: replay attacks
Next by thread: Re: replay attacks
Index(es):
- Main
- Thread