Re: Calling the question: derived vs. explicit IV

["Theodore Y. Ts'o" <tytso@MIT.EDU>]

   Date: Fri, 1 Aug 97 14:32:52 GMT
   From: "William Allen Simpson" <wsimpson@greendragon.com>

   In favor of Derived:

    2) Maintains complete backward compatibility with RFCs 1829 and 1851.
       All shipping implementations already support the derived IV.

Not true.  It is not _complete_ backwards compatibility.  RFC 1829
support's no IV, 32-bit IV, and 64-bit IV.  The compatibility you
propose only works using RFC 1829-style 32-bit IV.  

In addition the handling of sequence number wrapping means that there is
yet another compatibility issue.  This can be solved having the ESP
engine know something about whether the key management was manually done
or not.  However, that's an abstraction violation, and it certainly adds
to the complexity of the implementation simply to have this
"compatibility".

    3) Will reduce administrative and operational confusion.  A change to
       explicit IV would "obsolete" thousands of fielded units, and create
       a user support nightmare.

No so.  The fielded units do not support key management.  The assumption
which I'm making here is that manual keying will continue to use RFC
1829.  The new units that support key management will support explicit
IV's; if they choose to support manual keying for compatibility with
said "thousands of fielded units" (and the market will decide whether or
not that's necessary), they can simply support RFC 1829.  It's not that
much code to support both.

    4) Interoperable code will be more rapidly deployed.

The vendors who participated in the ANX interoperability demo were using
explicit IV's.

    5) Any change to explicit must show GREATER cryptographic strength.

       Derived has been show to give somewhat stronger protection of the
       first block than explicit.  Estimates are from 2**7 to 2**16
       depending on environment.

Not true.  We will be using an MAC to protect the packets against other
attacks; this means that your posited attack of being able to modify the
first block is simply not an issue.


As far as Bill's counting of noses of who is for and who is against,
there are a number of in his lists for which I haven't seen a clear
statement on this position, and a number of people who have stated a
position which he neglected to put on his lists.  I am keeping track of
messages sent both to the list and to me privately; however, I'd ask
that folks send their preferences to the list, if at all possible.

							- Ted

---

Follow-Ups:

• Re: Calling the question: derived vs. explicit IV
• From: Uri Blumenthal <uri@watson.ibm.com>
• Re: Calling the question: derived vs. explicit IV
• From: Norman Shulman <norm@tor.securecomputing.com>
• Re: Calling the question: derived vs. explicit IV
• From: Karl Fox <karl@Ascend.COM>

References:

• Calling the question: derived vs. explicit IV
• From: "William Allen Simpson" <wsimpson@greendragon.com>

---

• Prev by Date: RE: Calling the question: derived vs. explicit IV
• Next by Date: Re: calling the question: derived vs. explicit
• Prev by thread: Re: Calling the question: derived vs. explicit IV
• Next by thread: Re: Calling the question: derived vs. explicit IV
• Index(es):
  • Main
  • Thread