[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: combining SA proposals in IKE [was: Some questions]

To: dharkins@cisco.com, hugh@mimosa.com
Subject: Re: combining SA proposals in IKE [was: Some questions]
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 18 May 1998 11:01:00 +0300 (IDT)
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

>> Perhaps we should go to some trouble to ensure that these SPIs are
>> distinct (or just probably distinct?).  Perhaps they should even have
>> non-trivial Hamming distance (I don't imagine that this is needed, but
>> I'm not a cryptographer).
>> 
>> I see nothing in the standards that specifies that SPIs should be
>> unpredictable or different.  Is this a weakness of the standards?
 >
>I'm not so sure I see a need for requiring that the SPIs be unpredictable.
>But I really see a need for the nonces to be. I guess the Security 
>Considerations of IKE should strongly state this.

The cryptographic design of IKE does not assume anything about the 
SPIs. They can be as structured or unstructured as you want:
fixed to zero if that works for you, a counter, or a perfectly random number.

As Dan correctly points out, it is the (pseudo) randomness of the nonces
that counts. That is used to enusre freshness and independence of 
authentication and key derivation. Indeed, a clarification in the security
considerations is in place (maybe even at the first "definition" of what Nx
stands for).

BTW, even if you want to use a random SPI for the above freshness purposes,
32-bit of them wouldn't be enough in some cases. A 32-bit random quantity
will repeat with high probability after 2^16 uses, that may be too little
for ensuring freshness in some applications.

Hugo

Prev by Date: Re: combining SA proposals in IKE [was: Some questions]
Next by Date: Authentication Only Bit
Next by thread: RE: [Karen Seo: Thomas Narten -- clarification, etc.]
Index(es):
- Main
- Thread