[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pf_key comments

To: bhoward@TimeStep.com
Subject: RE: pf_key comments
From: ho@earth.hpc.org (Hilarie Orman)
Date: Mon, 6 Jan 1997 15:24:52 -0500
Cc: ipsec@tis.com
In-reply-to: Yourmessage <199701061923.MAA24523@baskerville.CS.Arizona.EDU>
Sender: owner-ipsec@ex.tis.com

>   Harald Koch writes:

>	> Does the IV have to be *unpredictably* different, or just 
>   different?
>	>
>	> (The NRL code, for example, simply increments the IV after each 
>   packet).

>   Just different.  If you look at the nature of the feedback in CBC for 
>   any chained blocks, the IV is simply the last data-cipher block, which 
>   is "public" information.  The only danger I've ever heard of 
>   incrementing an IV from one chain to the next is that the IV bits are 
>   almost identical at the start of each chain; but to my knowledge, this 
>   has never been exploited.

Phil Rogaway has pointed out that if the IV and the first data block are both
changing so as to cause their xor to be constant, the purpose of the IV is
defeated.  I don't know if this has ever been observed in practice, but it
is something to keep in mind (I suppose someone now will try to design
this into a protocol as some kind of optimization!).

Hilarie

Follow-Ups:

Re: pf_key comments

From: Uri Blumenthal <uri@watson.ibm.com>

Prev by Date: DOI in the Header
Next by Date: Thinkin' about identifiers...
Prev by thread: RE: pf_key comments
Next by thread: Re: pf_key comments
Index(es):
- Main
- Thread