[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Calling the question: derived vs. explicit IV

To: IP Security List <ipsec@tis.com>
Subject: Re: Calling the question: derived vs. explicit IV
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Date: Wed, 06 Aug 1997 15:12:15 -0400
Organization: UMass-Amherst Theoretical Computer Science Group, <http://www.cs.umass.edu/~thtml/>
References: <6412.wsimpson@greendragon.com>
Sender: owner-ipsec@ex.tis.com

Bill Simpson writes:
> Derived has been show to give somewhat stronger protection of the
> first block than explicit.  Estimates are from 2**7 to 2**16
> depending on environment.

Ted Ts'o writes:
>>> Not true.  We will be using an MAC to protect the packets against 
>>> other attacks; this means that your posited attack of being able to 
>>> modify the first block is simply not an issue.

Bill:
> Is a MAC required or optional?

Regardless of whether a cryptographic MAC is in use or not, I agree with
Steve Bellovin's earlier comments that a work factor increase from
0 to 65536 is not significant. I don't think it offers any
practical cryptographic reason to prefer a derived (implicit?) IV to
an explicit IV. 

The questions about which shipping products and current implementations 
support which IV schemes from which documents seem to be much more
important considerations here. I'm not sure how to reconcile all the
conflicting claims I've seen on the list, so I'm sitting on the fence.

-Lewis

References:

Re: Calling the question: derived vs. explicit IV

From: "William Allen Simpson" <wsimpson@greendragon.com>

Prev by Date: RE: PKCS 7 + PKCS 10 Proposal
Next by Date: RE: PKCS 7 + PKCS 10 Proposal
Prev by thread: Re: Calling the question: derived vs. explicit IV
Next by thread: Re: Calling the question: derived vs. explicit IV
Index(es):
- Main
- Thread