[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-skipjack-cbc-00.txt
>>>>> "Philip" == Philip Gladstone <philip@raptor.com> writes:
Philip> Paul Koning wrote:
>> I don't suppose it's ideal, but that sounds like a chosen
>> plaintext attack, which is something that good cryptosystems
>> should be able to cope with.
>>
>> Apart from that, the explicit IV RFC has the same property: it
>> describes chaining from one block to the next as a "common
>> practice" (RFC 2451, top of page 8). There isn't any assumption
>> that IVs are unpredictable -- the preceding packet will tell you
>> what it will be in implementations that use that "common
>> practice". What is required is avoiding low Hamming distance,
>> which chaining will do (as will the use of a separate random IV
>> per packet).
Philip> I realize that it is common practice, however this practice
Philip> opens you up to a chosen plaintext attack. I admit that this
Philip> is unlikely, but since it can be avoided by choosing a random
Philip> IV or one that is unpredictable.... why not?
Well, random numbers are usually expensive. So consuming one at SA
creation is fine, but one per packet isn't.
Second, as Steve Bellovin alluded to, you don't get to choose the
plaintext anyway, since it is preceded by a header. While you
generally know most or all of that header, you don't have full control
over it.
So, especially since resistance to chosen plaintext attack is a
requirement of any contemporary cipher, I don't think the issue is
relevant to IPSEC.
paul
References: