[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-...-cipher-*

To: ipsec@tis.com
Subject: draft-...-cipher-*
From: Helger Lipmaa <helger@ioc.ee>
Date: Sun, 21 Sep 1997 00:13:22 +0300 (EET DST)
In-Reply-To: <199709192100.RAA05861@dcl.MIT.EDU>
Sender: owner-ipsec@ex.tis.com

On Fri, 19 Sep 1997, Theodore Y. Ts'o wrote:

> Speaking personally, I'd rather not include a document for every single
> cryptographic algorithm under the sun, just for completeness sake.

Same here. I think that it would be a much better idea to compose one
draft for all (or most) block ciphers that would give a general framework
on using them in ESP. 

Parts of this document ought to go like that:

   ...

   This document gives implementers general instructions for using
   any standard block cipher algorithm in CBC mode to secure ESP.

   For information about concrete ciphers (key sizes, block sizes,
   performance, patents) see "Handbook of Applied Cryptography". The
   warnings about weaknesses of concrete ciphers given there (weak keys,
   minimal number of rounds) given there MUST be followed.

   Implementers SHOULD also be aware of the newest attacks available in
   the cryptographical literature. 

/* I consider [Schneier] to be a unsuitable reference for RFC's.
   HAC is much better, but not complete (and partly out-of-date).
   The best reference (imho) available is by Lars Knudsen at
   http://www.esat.kuleuven.ac.be/~knudsen/bc and is continously
   changing. Maybe IPSEC WG should contact Lars and ask him to
   collaborate by adding some IPSEC specific info to this page 
   (e.g., by emphasing for dumb implementers the ciphers and parameters
   that are considered to be long term secure atm).
 */

   ...

... ESP Payload

   Most block ciphers in CBC mode require an initialization vector of
   $b/8$ octets for use with ESP, where $b$ is the block size in
   bits [Kent97]. The IV MUST precede the data to be encrypted in the
   packet and must be $b$ octets in length.  The IV SHOULD be chosen at
   random. Common practice is to use random data for the first IV and the
   last $b/8$ of encrypted data from an encryption process as the IV for
   the next encryption process.

   ...

XXX Block Size and Padding

   Block size of cipher algorithm in bits is denoted by $b$. /* Some
   overall requirements on $b$, e.g. $32|b$ */

   Padding is used to align the payload type and pad length octets as
   specified in [Kent97].  Padding must be sufficient to align the
   data to be encrypted to an $b/8$ octet ($b$ bit) boundary.

   ...

XXX Some concrete ciphers

  While writing the draft, IPSEC WG encouraged using of the next
  ciphers with following parameters.

   Name   | block size | key size | rounds | 
  --------+------------+----------+--------+
  DES     | 64         | 56       | 16     |
  ...

  One should be aware that new attacks are discovered continously,
  therefore implementers MUST consult the updated information [Knudsen?]
  once in a while.

  ...

Actually, I think that most implementers are currently doing exactly what
I've written here: 

x one needs general framework how to implement ESP with _any_ block
  cipher
x data given in drafts gets older with every day; things like
  'performance' or 'best attack currently known' shouldn't be there at
  all. For example, in draft-ietf-ipsec-ciph-idea-cbc-00.txt it is
  written:

    Normal eight round IDEA is approximately twice as fast [word 'as'
    missing] DES on 386 and 486 processors. However on a Pentium, both
    eight round IDEA and 56 bit key, 16 round DES require about the same
    number of clock cycles per byte encrypted.

  If you check the page by Knudsen, you get different figures.

Best,
Helger

References:

Re: Wrap up for the IPsec drafts

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

Prev by Date: Re: [Theodore Y. Ts'o: Re: Daemon Recovery]
Next by Date: draft-ipsec-cipher-generic.txt (was: draft-...cipher-*)
Prev by thread: Re: Wrap up for the IPsec drafts
Next by thread: Costs of Mandatory Key Recovery
Index(es):
- Main
- Thread