[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

To: canetti@watson.ibm.com, kivinen@ssh.fi
Subject: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
From: Ran Canetti <canetti@watson.ibm.com>
Date: Fri, 10 Apr 1998 16:36:00 -0400
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Tero Kivinen writes:
> > Recall that the revised mode does not suffer from the problems that Lewis 
> > points out (since there the RSA encryption encrypts only a key to 
> > some block cipher).
> 
> Not true. You still have to limit the nonce size from the maximum of
> 256 bytes to such that it can be encrypted using the given key. 
> 

Tero, indeed one has to limit the size of the nonce to fit within the 
appropriate length, say the PKCS-allowed length. (In fact, it may be easier
to have the recipient simply truncate the nonce to the appropriate length.)

But this is very different than the problems that Lewis brought up. You
cannot truncate a long ID (say, an X509 ID); and you have the low exponent 
problem because the ID is not random. The natural way to get around these
problems would be to use RSA to encrypt a key for a symmetric cipher,
and then encrypt the ID with this key.  However, this is already done in the
revised mode...

Ran

Follow-Ups:

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: [Fwd: Last Call: Security Architecture for the Internet Protocol toProposed Standard]
Next by Date: Re: Last Call for IPSEC
Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Index(es):
- Main
- Thread