[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Derived versus Explicit IV
References: <6314.wsimpson@greendragon.com>
From: "C. Harald Koch" <chk@utcc.utoronto.ca>
The draft ESP spec, combined with the ciph-des-derived spec, is compatible
with the 32-bit-IV option in RFC 1827+1829, which in turn is the most
commonly implemented transform.
This is not strictly true. It's true *only* if the authenticator is not
present (which opens you to the active attacks pointed out by Steve
Bellovin), and if you assume the RFC-1829 implementation uses a counter
initialized to zero for the 32-bit IV. Given that support for the
authenticator is required, an old RFC-1829 implementation won't be
compliant anyway.
In my judgement, this limited interoperability isn't particularly
useful, all things considered. If you're going to be implementing
something which is compatible with the old RFC1827-1829, you can simply
use those old RFC's; they're not going away.
If you're going to be supporting the new key management stuff, it's not
that hard to support the new cipher algorithms, and there are very good
security reasons for doing so.
Finally, if you need to support both the old manual keying way of doing
things and the new key-management way of doing things, the extra code to
support a new cipher algorithm is minimal; the size of your DES, MD5,
SHA, et. al. implementation will completely dwarf the extra code you
need to support the new way of handling the sequence number and IV
(which is after all, simply byte juggling).
- Ted
Follow-Ups:
References: