[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Derived versus Explicit IV

To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Subject: Re: Derived versus Explicit IV
From: Norman Shulman <norm@tor.securecomputing.com>
Date: Thu, 24 Jul 1997 07:45:44 -0400 (EDT)
cc: "C. Harald Koch" <chk@utcc.utoronto.ca>, ipsec@tis.com
In-Reply-To: <199707232122.RAA18514@dcl.MIT.EDU>
Sender: owner-ipsec@ex.tis.com

On Wed, 23 Jul 1997, Theodore Y. Ts'o wrote:

>    References: <6314.wsimpson@greendragon.com>
>    From: "C. Harald Koch" <chk@utcc.utoronto.ca>
> 
>    The draft ESP spec, combined with the ciph-des-derived spec, is
compatible
>    with the 32-bit-IV option in RFC 1827+1829, which in turn is the most
>    commonly implemented transform. 
> 
> This is not strictly true.  It's true *only* if the authenticator is not
> present (which opens you to the active attacks pointed out by Steve
> Bellovin), and if you assume the RFC-1829 implementation uses a counter
> initialized to zero for the 32-bit IV.  Given that support for the
> authenticator is required, an old RFC-1829 implementation won't be
> compliant anyway.

Authentication can be provided by a separate AH header. For interoperability,
it doesn't matter how the 32-bit IV is generated. RFC-1829 implementations
won't be compliant, but at least they will be compatible.

> In my judgement, this limited interoperability isn't particularly
> useful, all things considered.   If you're going to be implementing
> something which is compatible with the old RFC1827-1829, you can simply
> use those old RFC's; they're not going away.

Don't forget there is an RFC-1829 installed base out there.

> If you're going to be supporting the new key management stuff, it's not
> that hard to support the new cipher algorithms, and there are very good
> security reasons for doing so.  
> 
> Finally, if you need to support both the old manual keying way of doing
> things and the new key-management way of doing things, the extra code to
> support a new cipher algorithm is minimal; the size of your DES, MD5,
> SHA, et. al. implementation will completely dwarf the extra code you
> need to support the new way of handling the sequence number and IV
> (which is after all, simply byte juggling).

Why add unnecessary complexity?

Norm


                    Norman Shulman      Secure Computing Canada
     	         Systems Developer      Tel 1 416 813 2075
      norm@tor.securecomputing.com      Fax 1 416 813 2001

Follow-Ups:

Re: Derived versus Explicit IV

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

References:

Re: Derived versus Explicit IV

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

Prev by Date: Re: Derived versus Explicit IV
Next by Date: Re: Derived versus Explicit IV
Prev by thread: Re: Derived versus Explicit IV
Next by thread: Re: Derived versus Explicit IV
Index(es):
- Main
- Thread