[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-esp-des-md5-01.txt

To: Naganand Doraswamy <naganand@ftp.com>
Subject: Re: draft-ietf-ipsec-esp-des-md5-01.txt
From: Jim Hughes <hughes@hughes.network.com>
Date: Wed, 01 May 1996 11:31:59 -0500
Cc: "James P. Hughes" <hughes@hughes.network.com>, ipsec@TIS.COM
Organization: Network Systems Corporation
References: <2.2.32.19960430172549.00950e68@mailserv-H.ftp.com>
Reply-To: hughes@hughes.network.com
Sender: ipsec-approval@neptune.tis.com

Naganand Doraswamy wrote:
> 
> Is there any security reason as to why we ae XORing the IV key when we use
> 32 bit IV and replay protection and not when using IV lenght of 64 bits. 

The reason the XOR was added to the replay/IV creation is to defend against a 
codebook attack of early blocks assuming that the SPI is not a random number...

The reason for adding the XOR to the 32 bit IV was to prevent a birthday/codebook 
attack on the first 65K packets... This is not a significant attack, but one that 
is simple to cover...

Frankly, I had not thought about doing this for the 64 bit version.... I see little 
value in doing it, but it does not hurt?

Here is a note from an early draft that I used to explain the change.

   [Note, The IV32 procedure is a change from the esp-des-cbc. XORing by
   the IV key prevents a birthday/codebook attack on the first block.
   Inverting the second half does not mitigate the birthday/codebook
   attack.]

> If there is none, then I would suggest that we make it uniform and either XOR
> with IV key for all transform or dont do it for any transform.

this is OK by me. Comments from the Gallery?

jim

Prev by Date: Re: draft-ietf-ipsec-des-md5-00.txt
Next by Date: Re: draft-ietf-ipsec-des-md5-00.txt
Prev by thread: Re: draft-ietf-ipsec-esp-des-md5-01.txt
Next by thread: I-D ACTION:draft-ietf-ipsec-ah-hmac-md5-00.txt
Index(es):
- Main
- Thread