[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java crypto Cipher-Block-Chaining isn't chaining

To: RL@incaa.nl
Subject: Re: Java crypto Cipher-Block-Chaining isn't chaining
From: Tamir Zegman <zegman@checkpoint.com>
Date: Wed, 05 May 1999 11:20:01 +0300
CC: ipsec@lists.tislabs.com
Organization: Check Point
References: <372ef2e6.uincaa@incaa.nl>
Sender: owner-ipsec@lists.tislabs.com



Robert Luursema wrote:

> On  3 May 99 at 15:00, Stephen Kent wrote:
> > CBC mode, as defined in FIPS 81 does not need to "chain" from one packet to
> > the next, only from one 8-byte block to the next, e.g., within a packet.
> > In fact, strict adherence to the FIPS does not even require a new IV for
> > each packet. While 2405 notes the possibility of chaining from one packet
> > to the next, it does not require such (no use of SHOULD, MUST, or even
> > MAY). Thus the Java implementation you cite appears to comply with both
> > 2405 and the FIPS.
>
> Thanks for your reply.
>
> I already figured it out how it should be done.
>
> RFC 2409, appendix B requires (MUST) chaining between packets.
> "Subsequent messages MUST use the last CBC encryption block from the
> previous message as their initialization vector."
> At that time I didn't understand it, now I do.
> --
> Robert Luursema          R.Luursema@incaa.nl         Incaa Datacom b.v.

Please note the difference between RFC2409 (IKE) and RFC2405(IPSEC-ESP-DES).
While in IKE the IV is carried from packet to packet (as you have quoted),
IPSEC-ESP-DES does not mandate packet chaining, it only recommends:
RFC 2405:

   Including the IV in each datagram ensures that decryption of each
   received datagram can be performed, even when some datagrams are
   dropped, or datagrams are re-ordered in transit.

   Implementation note:

      Common practice is to use random data for the first IV and the
      last 8 octets of encrypted data from an encryption process as the
      IV for the next encryption process; this logically extends the CBC
      across the packets. It also has the advantage of limiting the
      leakage of information from the random number generator. No matter
      which mechanism is used, the receiver MUST NOT assume any meaning
      for this value, other than that it is an IV.

begin:vcard 
n:Zegman;Tamir
tel;fax:+972-3-5759256
tel;work:+972-3-7534606
x-mozilla-html:TRUE
url:www.checkpoint.com
org:Check Point Software Technologies Ltd.;Encryption group
adr:;;3A Jabotinsky St., Diamond Tower;Ramat-Gan;;52520;ISRAEL
version:2.1
email;internet:zegman@checkpoint.com
title:Software engineer
fn:Tamir Zegman
end:vcard

References:

Re: Java crypto Cipher-Block-Chaining isn't chaining

From: RL@incaa.nl (Robert Luursema)

Prev by Date: SSH IKE for Solaris
Next by Date: Q: SA Bundles (again)
Prev by thread: Re: Java crypto Cipher-Block-Chaining isn't chaining
Next by thread: RE: INITIAL-CONTACT issues
Index(es):
- Main
- Thread