Re: Unnecessarily bloated IV calculation

[Lewis McCarthy <lmccarth@cs.umass.edu>]

Ben Rogers quoted:
> >From [IO-RES] Appendix B:
> 
>    In phase 1, material for the initialization vector (IV material) 
>    for CBC mode encryption algorithms is derived from a hash of a
>    concatenation of the initiator's public Diffie-Hellman value and 
>    the responder's public Diffie-Hellman value using the negotiated 
>    hash algorithm. This is used for the first message only. 

[IORES] Sec. 5.3 actually specifies a different first-payload IV 
for phase 1 exchanges that are authenticated w/ the revised PK 
encryption method:

    If CBC mode is used for the symmetric encryption then the
    initialization vectors (IVs) are set as follows. The IV for
    encrypting the first payload following the nonce is set to 0 
    (zero). The IV for subsequent payloads encrypted with the ephemeral 
    symmetric cipher key, Ke_i, is the last ciphertext block of the 
    previous payload. 
    
For these exchanges the parties' public DH values can't be used for 
first-payload IV derivation, since the first-payload IV must already be 
available when the initiator encrypts its KE payload.  However, to 
avoid the use of a constant first-payload IV in these exchanges we could 
derive the first-payload IV from the parties' public keys, e.g. 
IV = Hash(PubKey_i || PubKey_r).

Deriving the first-payload IV from the cookies doesn't seem to work 
for Aggressive Mode, because the initiator needs the first-payload IV
before receiving the responder's cookie.

-Lewis  <mailto:pseudonym@acm.org>

---

References:

• Unnecessarily bloated IV calculation
• From: Ben Rogers <ben@Ascend.COM>

---

• Prev by Date: Standarisation status (was Re: Unnecessarily bloated IV calculation)
• Next by Date: Re: Unnecessarily bloated IV calculation
• Next by thread: Re: IPSEC and NFS
• Index(es):
  • Main
  • Thread