[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Photuris questions

To: William Allen Simpson <bsimpson@morningstar.com>
Subject: Re: Photuris questions
From: Mike Roe <Michael.Roe@cl.cam.ac.uk>
Date: Mon, 18 Sep 1995 17:41:15 +0100
Cc: ipsec@ans.net
In-Reply-To: William Allen Simpson's message of Mon, 18 Sep 1995 13:06:04 +0000. <199509181403.AA20442@interlock.ans.net>

> > If both AH and ESP are indicated by one SPI, then how are the keys for
> > the two modes assigned?  Are there two separate keys?
> >
> The same key bitstuff is reused.  There are two separate session-keys
> only when two separate SPIs.  SPI => session-key, remember?

Re-using the same key with two different algorithms (or the same algorithm
in two different modes) is a really bad thing to do:

 - If the same key is used in two modes, there often attacks when one mode
   is used to break the other (particularly if one mode is a confidentiality
   mode and the other is an authentication mode),

 - If the same key is used with two algorithms, one algorithm can be used to
   break the other. Suppose I'm using RC4-40 for ESP confidentiality (which, for
   the sake of argument, imagine I don't care too much about) and a DES MAC
   for AH integrity (which I do care about). An attacker can break the RC4-40
   by exhaustive search, and then use their new-found knowlege of 40 bits of
   the DES key to break the DES key by exhaustive search too. This would be bad.

If multiple use of the same key is to be permitted at all, the specification
should contain some warning about why you shouldn;t do it.

Mike

References:

Re: Photuris questions

From: "William Allen Simpson" <bsimpson@morningstar.com>

Prev by Date: Re: replay attacks
Next by Date: Re: Photuris - deriving per-algorithm keys
Prev by thread: Re: Photuris questions
Next by thread: Re: Photuris questions
Index(es):
- Main
- Thread