Re: I-D ACTION:draft-ietf-ipsec-skipjack-cbc-00.txt

["Steven M. Bellovin" <smb@research.att.com>]

In message <374C392A.58CCA6B8@raptor.com>, Philip Gladstone writes:

>

>> 
>> Actually, no -- given CBC's properties, a dropped packet implies that the
>> following packet will not be decryptable; however, the last block of its
>> ciphertext can still be used as the IV for the next packet.  You thus square
>> the effective packet loss probability.  Reordering is still a significant
>> hassle for the receiver, however.
>
>Worse, the use of the last block as the IV for the next packet breaks
>the assumption that IVs are unpredictable. Note that if IVs were
>predictable, and you could persuade the endpoint to encrypt packets
>for you, then you could perform test encryptions where you control
>the input. This is very bad.

I don't agree.  In fact, the ESP spec suggests using that very technique,
albeit with an explicit IV.  Any block of a CBC encryption depends on *all*
of the previous blocks of plaintext (which is why CBC MACs work).  You can
control the plaintext of the payload portion of a packet, and of some of the
header, but not all of the header.  And it doesn't matter -- give how CBC
works, the actual plaintext encrypted in any block depends on not just the
plaintext, but also on the previous block's ciphertext, which is effectively
random.

---

• Prev by Date: Re: I-D ACTION:draft-ietf-ipsec-skipjack-cbc-00.txt
• Next by Date: Re: I-D ACTION:draft-ietf-ipsec-skipjack-cbc-00.txt
• Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-skipjack-cbc-00.txt
• Next by thread: Re: I-D ACTION:draft-ietf-ipsec-skipjack-cbc-00.txt
• Index(es):
  • Main
  • Thread