[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Slicing and Dicing in new-esp

To: ipsec@tis.com
Subject: Slicing and Dicing in new-esp
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Thu, 10 Apr 1997 17:18:25 -0400
Sender: owner-ipsec@ex.tis.com

The new esp draft, draft-ietf-ipsec-new-esp-00.txt, has two "slots"
into which algorithms can be plugged -- an encryption slot, and an
integrity slot.  This is somewhat different from the previous
monolithic transform architecture in the Hughes draft.

The consensus on slice & dice at the meeting today was that transforms
get one key, and are responsible for dividing the "key blob" between
the various uses they have for it.

In the case of new-esp, we have a hierarchical arrangement, with ESP
in the middle, key management above, and algorithms beneath; the
new-esp document really defines both ESP and a "meta" transform.

I presume that the new-esp meta-transform gets a (single) key blob
from "above" and needs to break it up and pass "key blobs" down into
the algorithms which plug into it.

Now, there are certain, obvious to a non-cryptographer, problems with
passing the exact same blob to both algorithms.  I believe that the
right thing to do here is to specify that new-ESP is responsible for
dividing the blob into two pieces and feeding one to the encryption
algorithm and the other into the integrity algorithm; the individual
algorithms are resposible for any relevant algorithmic-specific key
processing.

					- Bill

Prev by Date: Inconsistent Specs.
Next by Date: Re: MUST vs. SHOULD audit
Prev by thread: Re: Inconsistent Specs.
Next by thread: Re: Slicing and Dicing in new-esp
Index(es):
- Main
- Thread