[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Ran Canetti writes:
> In fact, why not remove the original encryption mode from the
> IKE standard altogether (or, if you wish, make it "historic")?
I think it should stay in.
> Recall that the revised mode does not suffer from the problems that Lewis
> points out (since there the RSA encryption encrypts only a key to
> some block cipher).
Not true. You still have to limit the nonce size from the maximum of
256 bytes to such that it can be encrypted using the given key.
> Does anyone see an aspect in which the original mode is better than the
> revised? if not, and if the original mode may be problematic in some cases
> then why keep it? (also for sake of simplicity, size of code, the
> usual stuff.)
The rsa encryption mode is much easier to implement [I have
implemented the RSA encryption mode, but I haven't implemented the
revised mode because it would require so much more stuff].
In the RSA encryptionmode I only need to do special prosessing for
nonce and id payloads. In the revised rsa encryption mode I have to
add special processing to all payloads that can exist in the last
packet (ke, cert, cr, vendor id, nonce etc).
--
kivinen@iki.fi Work : +358-9-4354 3207
Magnus Enckellin kuja 9 K 19, 02610, Espoo Home : +358-9-502 1573
References: