[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unnecessarily bloated IV calculation
Ben Rogers quoted:
> >From [IO-RES] Appendix B:
>
> In phase 1, material for the initialization vector (IV material)
> for CBC mode encryption algorithms is derived from a hash of a
> concatenation of the initiator's public Diffie-Hellman value and
> the responder's public Diffie-Hellman value using the negotiated
> hash algorithm. This is used for the first message only.
[IORES] Sec. 5.3 actually specifies a different first-payload IV
for phase 1 exchanges that are authenticated w/ the revised PK
encryption method:
If CBC mode is used for the symmetric encryption then the
initialization vectors (IVs) are set as follows. The IV for
encrypting the first payload following the nonce is set to 0
(zero). The IV for subsequent payloads encrypted with the ephemeral
symmetric cipher key, Ke_i, is the last ciphertext block of the
previous payload.
For these exchanges the parties' public DH values can't be used for
first-payload IV derivation, since the first-payload IV must already be
available when the initiator encrypts its KE payload. However, to
avoid the use of a constant first-payload IV in these exchanges we could
derive the first-payload IV from the parties' public keys, e.g.
IV = Hash(PubKey_i || PubKey_r).
Deriving the first-payload IV from the cookies doesn't seem to work
for Aggressive Mode, because the initiator needs the first-payload IV
before receiving the responder's cookie.
-Lewis <mailto:pseudonym@acm.org>
References: