[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-skipjack-cbc-00.txt
In message <374C392A.58CCA6B8@raptor.com>, Philip Gladstone writes:
>
>>
>> Actually, no -- given CBC's properties, a dropped packet implies that the
>> following packet will not be decryptable; however, the last block of its
>> ciphertext can still be used as the IV for the next packet. You thus square
>> the effective packet loss probability. Reordering is still a significant
>> hassle for the receiver, however.
>
>Worse, the use of the last block as the IV for the next packet breaks
>the assumption that IVs are unpredictable. Note that if IVs were
>predictable, and you could persuade the endpoint to encrypt packets
>for you, then you could perform test encryptions where you control
>the input. This is very bad.
I don't agree. In fact, the ESP spec suggests using that very technique,
albeit with an explicit IV. Any block of a CBC encryption depends on *all*
of the previous blocks of plaintext (which is why CBC MACs work). You can
control the plaintext of the payload portion of a packet, and of some of the
header, but not all of the header. And it doesn't matter -- give how CBC
works, the actual plaintext encrypted in any block depends on not just the
plaintext, but also on the previous block's ciphertext, which is effectively
random.