[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed changes to ESP (andf a little AH too)

To: ipsec@ex.tis.com
Subject: Re: Proposed changes to ESP (andf a little AH too)
From: daw@cs.berkeley.edu (David Wagner)
Date: 24 Mar 1997 22:33:06 -0800
Newsgroups: isaac.lists.ipsec
Organization: ISAAC Group, UC Berkeley
References: <199703212153.XAA26081@del.tla.org> <9703231820.AA24783@hawpub.watson.ibm.com>
Sender: owner-ipsec@ex.tis.com

In article <9703231820.AA24783@hawpub.watson.ibm.com>,
Uri Blumenthal  <uri@watson.ibm.com> wrote:
> The main argument against doing encryption first and auth second would
> be - generally speaking there is no guarantee even if you verified the 
> CIPHERTEXT correctly,  that the PLAINTEXT finally obtained is the same
> as was sent.

That's a robustness argument against authenticating the ciphertext,
and a pretty good one if the decryption routine is complicated.

However, if the decryption is simple & easy to analyze, we can (mostly)
put to rest those fears about authenticating ciphertext.

Suppose the decryption routine depends only on the authenticated
ciphertext (and a key).  We assume the two endpoints both see the same
view of the key.  Furthermore, we assume the MAC is secure, so that
the two endpoints both share the same view of the ciphertext.  Because
decryption is a function that depends on no other parameters (by
assumption), then the result of decryption will be the same at both
endpoints.  Therefore, you can be sure that the plaintext finally
obtained is the same as was sent.

Some examples where this informal "proof" goes wrong will probably
make the argument clearer.  If decryption depended on an IV which
wasn't authenticated (more specifically, wasn't included in the MAC
input for this packet), then the arguments fails -- and indeed, if
an adversary with control over the IV can fake the first block of
plaintext at will without breaking the MAC.  If decryption included
a decompression stage which depended on some context (a LZH dictionary,
say), and that context was implicit and un-authenticated, the argument
fails.

So-- how simple is the decryption routine?  What parameters does it
depend on?  If the decryption routine is simple enough that we can
(with pretty high assurance) isolate all the parameters it depends on
and ensure that they are authenticated, then we have a good argument
saying that authenticating the ciphertext is safe.  Otherwise, we
should start to worry that authenticating the ciphertext is not
robust enough.

Follow-Ups:

Re: Proposed changes to ESP (andf a little AH too)

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

References:

Re: Proposed changes to ESP (andf a little AH too)

From: John Ioannidis <ji@hol.gr>

Re: Proposed changes to ESP (andf a little AH too)

From: Uri Blumenthal <uri@watson.ibm.com>

Prev by Date: oakley-03: last call comments
Next by Date: Re: Proposed changes to ESP (andf a little AH too)
Prev by thread: Re: Proposed changes to ESP (andf a little AH too)
Next by thread: Re: Proposed changes to ESP (andf a little AH too)
Index(es):
- Main
- Thread