[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Weak keys
>If I understand it correctly, the current IKE spec says that the keys
>for each of the transforms are taken from the start of the keying
>material, except for DES where you skip bytes until what you find
>isn't one of the weak or semi-weak keys listed.
This section applies to IKE's use of the Phase 1 ciphers defined in the IKE
document. Note that the Phase 2 IPSEC architecture leaves the definition of
what is a weak key to the particular cipher transform documents. In the case
of a Phase 2 weak key, what happens must also be defined in the relevant
transform description.
>It also doesn't sound like it will interoperate if new weak keys are
>discovered and one side is updated to recognize those weak keys (since
>the two sides will extract different substrings from the keying
>material). After all, the listing of weak keys is subject to growth
>as more is learned about the systems in question.
The side that's been updated could just initiate a new rekey, assuming that
the other side wouldn't be smart enough to do so.
In thinking about the version number in the ISAKMP header, this brings up an
interesting point. The ISAKMP version number is said (in the ISAKMP document)
to represent the packet and protocol versioning for the ISAKMP payloads and
exchanges. Yet, it seems to me that it really needs to represent not just
ISAKMP but also the IKE protocol version and maybe the DOI version as well.
Derrell
Follow-Ups:
References:
- Weak keys
- From: Paul Koning <pkoning@xedia.com>