[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec

To: tytso@mit.edu
Subject: Re: Bruce Schneier on IPsec
From: Paul Koning <pkoning@xedia.com>
Date: Tue, 25 Jan 2000 13:00:42 -0500
Cc: ipsec@lists.tislabs.com
References: <Pine.BSI.3.91.1000119203938.18717S-100000@spsystems.net><4.2.1.20000120112510.00bfa600@mail.vpnc.org><4.2.1.20000120173822.00b476f0@mail.vpnc.org><38886529.E3D38477@bbn.com><200001251710.MAA01839@trampoline.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "tytso" == tytso  <tytso@mit.edu> writes:

 tytso> Steve Kent wrote: [I tend to agree with this analysis. The
 tytso> argument for weak key checking was made by folks who don't
 tytso> understand the cryptographic issues involved, but who are
 tytso> persistent and loud, e.g., Bill Simpson. Ted T'so (co-chair of
 tytso> the WG) and I discussed this problem, and tried to explain it
 tytso> to the list, but were unsuccessful. Another flaw in the
 tytso> committee process.]

 tytso> Actually, I think we had gotten agreement to remove the weak
 tytso> key check, but it never made it into the document edit.  So I
 tytso> believe it was an oversight, and I'd chalk this one up to the
 tytso> complexity of documents and overtaxed document editors.  Other
 tytso> folks who argued quite strongly for removing the weak key
 tytso> check included Bill Sommerfeld, who noted that from a software
 tytso> engineering perspective, the weak key rejection case happened
 tytso> so rarely, that there was danger in it being an untested code
 tytso> path.  Fortunately RFC 2405 lists this as a SHOULD, and so
 tytso> it's something we can adjust and remove in the next pass.

On the other hand, RFC 2409 says that you MUST do this.  And unlike
RFC 2405, the rule for deriving keying material is to use the first
eight non-weak key bytes.  So not only does 2409 require this, but it
requires weak key checking in a way that affects the *protocol*!
Removing the requirement from that document would make the two sides
come to different conclusions in the case that the first 8 bytes of
the key are weak.

Interestingly enough, the only cipher for which this rule is given is
DES, even though there are weak key checks defined for other ciphers.
So presumably for the others the rule in 2405 governs instead.  (That
one can be changed unilaterally without breaking the protocol.)

Perhaps a good answer is that the chances of tripping over the issue
in 2409 is so low that it's not worth worrying about, and besides it's 
with DES which should be deprecated...

	paul

References:

Re: Bruce Schneier on IPsec

From: Henry Spencer <henry@spsystems.net>

Re: Bruce Schneier on IPsec

From: Paul Hoffman <paul.hoffman@vpnc.org>

Re: Bruce Schneier on IPsec

From: Paul Hoffman <paul.hoffman@vpnc.org>

Re: Bruce Schneier on IPsec

From: Steve Kent <kent@bbn.com>

Re: Bruce Schneier on IPsec

From: tytso@mit.edu

Prev by Date: Connected Notify
Next by Date: Re: Clarification proposal for Deflate RFC
Prev by thread: Re: Bruce Schneier on IPsec
Next by thread: Re: Bruce Schneier on IPsec
Index(es):
- Main
- Thread