"Steven M. Bellovin" wrote: > > >Secondly, there's a much more serious technical problem with your draft, > >in that by using an implicit IV and a sequence number, it looks like > >you're assuming that IV is chained across packets. If that is the case, > >it has a significant problem in that it you force the IPSEC engine to > >handle reordering, and even worse, it has no way to recover from a > >dropped packet. > > Actually, no -- given CBC's properties, a dropped packet implies that the > following packet will not be decryptable; however, the last block of its > ciphertext can still be used as the IV for the next packet. You thus square > the effective packet loss probability. Reordering is still a significant > hassle for the receiver, however. Worse, the use of the last block as the IV for the next packet breaks the assumption that IVs are unpredictable. Note that if IVs were predictable, and you could persuade the endpoint to encrypt packets for you, then you could perform test encryptions where you control the input. This is very bad. Philip -- Philip Gladstone +1 781 530 2461 Axent Technologies, Waltham, MA
S/MIME Cryptographic Signature