[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?

To: ipsec@lists.tislabs.com
Subject: Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?
From: Helger Lipmaa <helger@cyber.ee>
Date: Fri, 3 Mar 2000 16:45:58 +0200 (EET)
In-Reply-To: <000b01bf7f84$6873e6a0$2dcd09c0@nig95>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 25 Feb 2000, rupesh wrote:

> I had read nearly all RFC'c of Ipsec , everywhere it talks about CBC
> mode implementation only. why Ipsec should not be used in other modes
> like CFB or OFB ? Please anyone can give me answer to above question
> or forward me a link.....

CBC is most probably used since it is 'an old and proven
standard'. However there is a number of reasons why one would prefer to
use something else:

1. CBC is a serial mode (in encryption). However, in many hardware and
   software solutions would would prefer to use a parallel mode instead.
   (pipelined hardware chips, MMX/AltiVec-based implementations, ...)

   Thus CBC mode is unpleasant from an implementer point of view. See,
   e.g. http://home.cyber.ee/helger/fastidea/ if you do not believe in
   parallel software implementations :-)

2. CBC can be attacked by birthday paradox and therefore efficiently
   reduces the lifetime of a cipher (think about that: in linear
   cryptanalysis you'll need 2^43 plaintext blocks to break DES itself,
   but actually you only need 2^32 plaintext blocks to break DES in CBC 
   mode). - that kind of birthday attacks are unavoidable if the
   cipher is invertible.

   Thus, CBC mode is unsecure. See recent publications by Mihir Bellare,
   Phil Rogaway etc.

3. CBC requires the cipher to be invertible but invertibility makes
   ciphers much slower at the same level of security (compare invertible
   block ciphers - DES, IDEA, Rijndael - with non-invertible MACs - UMAC).
   It seems that an additional effort is required from designers to make
   the cipher invertible and still secure.

   Combined with 2, using a non-invertible cipher would be beneficial both
   from security and efficiency point of view and therefore CBC should be
   abandoned if possible.

Now, would it be possible? It would: use the counter mode. It is parallel,
does not require a cipher to be invertible, it allows precomputation etc.
Moreover, it can be used in combination with DES and other invertible
ciphers such that birthday attacks will not apply. It is proven to be
very secure in the case of strong underlying cipher.

Due to all of this, many cryptographers think that counter mode should
replace CBC mode as a standard. I am myself a very strong supporter
of this, too.

I am currently writing a draft of an internet draft on counter mode that
will be finished in a week or two. (If anyone would get a preview of that,
please directly contact me.) I hope it could then be considered as a
(recommended but not required) part of IPSEC.

Helger Lipmaa
http://home.cyber.ee/helger

Follow-Ups:

Re: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?

From: "D. J. Bernstein" <djb@cr.yp.to>

Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?

From: "David A. McGrew" <mcgrew@cisco.com>

Prev by Date: Re: IETF IPSec WG
Next by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Prev by thread: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Next by thread: Re: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Index(es):
- Main
- Thread