Re: key processing for manual and dynamic SA

[Ben Rogers <ben@ascend.com>]

Henry Spencer <henry@spsystems.net> writes:

> > 2) Dynamic Mode SA ...
> > Question:  What do I do if the constructed 64bit key is weak?  Do I:
> > a) reject the establishment
> > b) move on one byte in the keying material and try again
> > c) move on one-block (64bits) and try again?
> 
> It takes some searching to find any mention of this.  The ciph-cbc draft
> appears to say that when you discover you have been given a weak key, you
> reject it and require that a new SA be generated.  For the poorly-named
> "ISAKMP SA" (the communication path between the IKE daemons), the
> isakmp-oakley draft says that the first N non-weak bytes are used, which
> would seem to imply moving on one byte and trying again.

This is actually ambiguous.  I would have interpreted it as the first
non-weak N-byte block, meaning that if bytes (0, ... ,N-1) are weak,
you would try bytes (N, ... ,2N-1) instead.

> > Again, the process needs to be standard.
> 
> Given how rare weak keys are, it is quite possible that we will never know
> whether most implementations interoperate in this area.  Other forms of
> rare error leading to communications failure will probably be more common.

If anyone wants to ressurect their DES-MAC prf code, I can provide an
ISAKMP daemon which will force a given key.... :)

Otherwise, it is probably most wise to reject the negotiation and
start from scratch.  That way you are certain to interoperate.


ben

---

References:

• Re: key processing for manual and dynamic SA
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: key processing for manual and dynamic SA
• Next by Date: Re: Comments on "Hybrid Auth. mode for IKE"
• Prev by thread: Re: key processing for manual and dynamic SA
• Next by thread: RE: key processing for manual and dynamic SA
• Index(es):
  • Main
  • Thread