[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Calling the question: implicit vs. explicit IV




Bob and I would like to call the question regarding implicit
vs. explicit IV's.  Given the tenor of the discussion on the list, we
believe that we have rough consensus on using explicit IV's in the
encryption algorithms used by ESP.  However, I'd like to formally ask
the working group to either agree or disagree with "the sense of the
chairs".

To review the issues at hand:


Simpson has perhaps been the strongest proponent of using implicit IV's.
His arguments in favor of doing this include

	* reducing the overhead of ESP by 8 bytes
	* avoiding a "covert channel" (because keying information could
		be leaked deliberately --- either with the knowledge of
		the user in the case of the "Clipper Chip", or without
		the knowledge of the user if you believe that the
		U.S. government could suborn U.S. manufacturers to leak
		keying information in the IV field; paranoia reigns....)
	* maintaining (partial) compatibility with RFC-1827, 1828, and
		1829, because a the new ESP with a sequence number looks
		similar to RFC-1827 with a 32-bit IV.

However, there have also been a number of people (Pereira, Adams,
Simpson, Ts'o, Kent, Krawczyk) who have spoken in favor of an explicit
IV.  Ts'o has pointed out that the 8 byte overhead is lost in the noise
compared to the other overheads involved (the ESP authenticator, the IP
and TCP headers, etc.)

A number of people (Kent, Ts'o, et. al) have pointed out that the
compatibility is partial at best, the handling of the "sequence number",
and whether wrapping is allowed or not changes; and RFC-1829 doesn't
support the authenticator, and the compatibility hack assumes that
you're not using RFC-1826-style 0-bit and 64-bit IV's.

It's also the case that compared to the complexity of implementing
ISAKMP/Oakley, and the rest of the IPSEC suite, the amount of effort to
implement two variants (old/deprecated and new/recommended) of ESP, one
which was RFC-1829 and the other implementing sequence numbers, explicit
IV's, and authenticators, really isn't all that hard.  The bulk of the
code complexity is in the crypto algorithms anyway.  

Finally, Hugo Krawczyk pointed out that an implicit IV system was
subject to a chosen plaintext attack which could be prevented by using
an explicit IV.


I am sure that there are other reasons that some could cite about how
explicit might be better than implicit, or vice versa.  However, I
believe I have captured the most arguments on either side of the issue.

Please send comments either in support or in opposition to the
proposition which I advanced at the beginning of this e-mail note;
namely, that we have rough consensus to use an explicit IV within the
use of the encryption algorithsm with ESP.

						- Ted


Follow-Ups: