Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

[Tero Kivinen <kivinen@ssh.fi>]

Ran Canetti writes:
> In fact, why not remove the original encryption mode from the 
> IKE standard altogether (or, if you wish, make it "historic")?

I think it should stay in. 

> Recall that the revised mode does not suffer from the problems that Lewis 
> points out (since there the RSA encryption encrypts only a key to 
> some block cipher).

Not true. You still have to limit the nonce size from the maximum of
256 bytes to such that it can be encrypted using the given key. 

> Does anyone see an aspect in which the original mode is better than the
> revised? if not, and if the original mode may be problematic in some cases
> then why keep it? (also for sake of simplicity, size of code, the
> usual stuff.) 

The rsa encryption mode is much easier to implement [I have
implemented the RSA encryption mode, but I haven't implemented the
revised mode because it would require so much more stuff].

In the RSA encryptionmode I only need to do special prosessing for
nonce and id payloads. In the revised rsa encryption mode I have to
add special processing to all payloads that can exist in the last
packet (ke, cert, cr, vendor id, nonce etc). 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3207
Magnus Enckellin kuja 9 K 19, 02610, Espoo   Home : +358-9-502 1573

---

References:

• Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• From: Ran Canetti <canetti@watson.ibm.com>

---

• Prev by Date: Re: Last Call: Security Architecture for the Internet Protocol to
• Next by Date: Re: Last Call: Security Architecture for the Internet Protocol to
• Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• Index(es):
  • Main
  • Thread