[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed changes to ESP (andf a little AH too)



Bill Sommerfeld writes:
[re: ciphertext = MAC(encrypt(plaintext))]
> Normally I tend to like things which improve performance, but I don't
> really like this proposal, for robustness reasons; it allows errors in
> encryption or decryption to go undetected, while doing the MAC over
> the plaintext provides better assurance that the data was decrypted
> correctly.

The optional preliminary "sanity check" of the decrypted replay counter 
value (in e.g. draft-...-esp-3des-md5-00) still could be used to detect 
most encryption/decryption errors, provided the counter remains inside
the encrypted portion and randomly initialized. This would represent an 
intermediate approach between the current method and the revised one 
proposed by Steve K. (et al. ?). Fake packets could be detected 
relatively quickly, as per Steve, but replays would still take longer to 
notice, as per the status quo. Presumably the sanity check would change
from optional to required or recommended.

-Lewis


References: