[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Another slicing and dicing issue.

To: ipsec@tis.com
Subject: Another slicing and dicing issue.
From: Matt Thomas <matt@ljo.dec.com>
Date: Mon, 02 Mar 1998 14:13:19 -0500
In-Reply-To: <34FADD78.20B5@toast.net>
References: <199802280115.UAA09853@istari.sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com

In DOI-07 the Key Length attribute does not state what
units (bits or octets) it represents.

Assuming it's bits (for the following argument), when
someone negotiates a key length that's not a multiple 
of 8 (say for CAST or Blowfish), when the key material
that IKE provides is sliced and diced, should the
amount of key-material for non-octet sized keys be
rounded to next octet boundary?

(Whew!)  For example, I negotiate a 123 bit key length
for CAST with HMAC-SHA1.  When slicing the key material
up, should CAST be 128 bits (while dropping the 5 least
significant bits) and the remainder for HMAC-SHA1 or 
123 bits for CAST and the rest (appropriately shifted 
to compensate for the 5 bits in the middle octet not 
used by CAST)?

I think the former would be simplier (when slicing and
dicing, and therefore when generating key material,
each slice needs to rounds to the octet boundary) and
should be specified in the cipher document.
-- 
Matt Thomas                    Internet:   matt.thomas@altavista-software.com
Internet Locksmith             WWW URL:    <coming eventually>
AltaVista Internet Software    Disclaimer: This message reflects my own
Littleton, MA                              warped views, etc.

References:

Re: IPSEC tunnels and Mobile IP

From: Pat Calhoun <pcalhoun@toast.net>

Prev by Date: IPSec policy
Next by Date: Re: I-D ACTION:draft-mcdonald-pf-key-v2-05.txt
Prev by thread: Re: IPSEC tunnels and Mobile IP
Next by thread: Re: IPSEC tunnels and Mobile IP
Index(es):
- Main
- Thread