[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

padding values history

To: ipsec@tis.com
Subject: padding values history
From: "William Allen Simpson" <wsimpson@greendragon.com>
Date: Wed, 28 May 97 02:09:11 GMT
Sender: owner-ipsec@ex.tis.com

I've spent some time looking up some of the history.

The original Karn proposal (circa 1992) specified padding with zeroes,
and checking them upon receipt.

In January 1995, various folks complained that checking values would
slow down their implementations too much.  So, the padding was changed
to "unspecified implementation dependent values", and the checking was
removed.

In March 1995, some folks thought the values should be random to limit
"known plaintext".  There was some argument -- "(preferably random)" was
added, but still left to the implementation.  This was published.

In February and March 1996, Wagner (with Bellovin) wrote up a "short
message" attack, particularly useful for finding telnet passwords.  The
attack is aided by the lack of checking the trailing padding fields.

In April 1996, RSA "purists" examined ESP.  One of the issues raised by
Baldwin was covert and subliminal channels.  Although there are many in
the IPSec transforms, using the 0,1,2,3,... self-describing padding was
suggested as a way to minimize that problem in ESP.

That's a reduction, not an elimination.  There is still a small channel
by specifying different padding multiples: 4, 12, 20 all give the same
alignment, but the variation from packet to packet could pass a bit or
two of covert data.

Yes, this is getting esoteric.  But the implementors at the time agreed
to change to a known padding sequence, but make the checking optional,
providing backward compatibility.  This implementors' agreement was
reflected in my drafts of that month.

As to the complaint that this adds "known plaintext" for cryptanalysis,
the PadLength can only be a few discrete values, and the PayloadType can
only be a few discrete values, so there is already known text in that
trailing block.

Baldwin: "This small amount of known plaintext does not create any
problems for modern ciphers."

Bellovin: "... avoid use of weak ciphers."

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Follow-Ups:

Re: padding values history

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: padding values
Next by Date: Re: IPSEC AH -- document
Prev by thread: Re: ISAKMP/Oakley implementation availability
Next by thread: Re: padding values history
Index(es):
- Main
- Thread