[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Derived versus Explicit technical rationale

To: ipsec@tis.com
Subject: Derived versus Explicit technical rationale
From: "William Allen Simpson" <wsimpson@greendragon.com>
Date: Thu, 24 Jul 97 14:06:32 GMT
Sender: owner-ipsec@ex.tis.com

The technical rationale seems to be forgotten in the debate.

Please remember: there is no technical advantage to Explicit.  Explicit
is _NOT_ more cryptographically secure than Derived.  Also, Explicit
wastes bytes.

An Explicit IV allow undetectable modification of the first block.  A
single bit change produces a single bit change in the deciphered
plaintext.  Any multiple bit changes are independent.  It has a
cryptographic strength of "2**0" -- no bits of protection.

A Derived IV is stronger.  Any single bit change produces multiple bits
of change to the first plaintext block.  Any multiple bit changes are
related.  The strength will vary depending on the derivation algorithm.
Several algorithms have been proposed.  See draft-simpson-ipsec-
enhancement-01.txt.

The method used in RFC-1829 has a strength of at least order "2**7".
This is the work factor of finding an IV that affects the underlying
text in an undetectable fashion, given the normal TCP, UDP, IP checksum.

However, given that the derivation is from a sequence number providing
anti-replay protection, this provides _mutual_ protection between the
sequence number and the first block (birthday attacks no longer apply),
and a strength based on the size of the field: "2**32".

It has been argued that adding AH or an Authenticator field brings that
Explicit IV the same level of protection.  But this protection is in
_addition_ to the protection afforded by the underlying construct.
Implicit is still cryptographically and practically stronger.

Even had analysis shown that Explicit and Implicit were equal, that
gives no technical rationale for using an Explicit IV.

Given that an Explicit IV has not been proven to be STRONGER, and that
it takes 8 extra bytes, I know of no technical argument for having an
Explicit IV in _ANY_ of the drafts.

I ask for WG support for removing the Explicit IV from drafts for
Blowfish, CAST, RC5, et alia.

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Follow-Ups:

Re: Derived versus Explicit technical rationale

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Manual Key support required
Next by Date: Re: Derived versus Explicit IV
Prev by thread: Manual Key support required
Next by thread: Re: Derived versus Explicit technical rationale
Index(es):
- Main
- Thread