[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Ran Canetti writes:
> > Not true. You still have to limit the nonce size from the maximum of
> > 256 bytes to such that it can be encrypted using the given key.
> Tero, indeed one has to limit the size of the nonce to fit within the
> appropriate length, say the PKCS-allowed length. (In fact, it may be easier
> to have the recipient simply truncate the nonce to the appropriate length.)
The nonce must NOT be truncated in the encryption, because if only
part of the nonce is encrypted and trasmitted then the authentication
hashes doesn't match. Both ends need to generate nonces that is
suitable for encryption for the public key of the remote end.
> But this is very different than the problems that Lewis brought up. You
> cannot truncate a long ID (say, an X509 ID); and you have the low exponent
> problem because the ID is not random. The natural way to get around these
> problems would be to use RSA to encrypt a key for a symmetric cipher,
> and then encrypt the ID with this key. However, this is already done in the
> revised mode...
Yes, I know this is different problem, but I think that some comment
about that should be added to revised encryption mode section too.
I don't think this issues is a problem in the original rsa encryption
mode. Most of the time the ID will be just 64 bits (IPV4 address),
that can be encrypted using almost any key. For IPV6 the ID length is
160 bits and that also doesn't cause any problems. If the ID is
ID_FQDN, ID_USER_FQDN, or ID_DER_ASN1_{DN,GN}, and the ID is too long,
then we just don't use RSA encryption mode.
--
kivinen@iki.fi Work : +358-9-4354 3207
Magnus Enckellin kuja 9 K 19, 02610, Espoo Home : +358-9-502 1573
References: