[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposed changes to ESP (andf a little AH too)
Bill Sommerfeld writes:
[re: ciphertext = MAC(encrypt(plaintext))]
> Normally I tend to like things which improve performance, but I don't
> really like this proposal, for robustness reasons; it allows errors in
> encryption or decryption to go undetected, while doing the MAC over
> the plaintext provides better assurance that the data was decrypted
> correctly.
The optional preliminary "sanity check" of the decrypted replay counter
value (in e.g. draft-...-esp-3des-md5-00) still could be used to detect
most encryption/decryption errors, provided the counter remains inside
the encrypted portion and randomly initialized. This would represent an
intermediate approach between the current method and the revised one
proposed by Steve K. (et al. ?). Fake packets could be detected
relatively quickly, as per Steve, but replays would still take longer to
notice, as per the status quo. Presumably the sanity check would change
from optional to required or recommended.
-Lewis
References: