[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?

To: Helger Lipmaa <helger@cyber.ee>, ipsec@lists.tislabs.com
Subject: RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
From: Chris Trobridge <CTrobridge@baltimore.com>
Date: Fri, 3 Mar 2000 18:10:09 -0000
Sender: owner-ipsec@lists.tislabs.com

The main issue with counter mode is the requirement to avoid using the same
values twice.  This might not sound like much but it's the sort of thing
that gives evaluators nightmares.  That aside, I agree: it is faster than
CBC and easier to synchronise than OFB and most easily implemented in
parallel.

I can't claim to be a crypto-scholar, but looking over the publication you
reference (A Concrete  Security Treatment Of Symmetric Encryption: Analysis
Of DES modes Of Operation), I'm not convinced that the attacks they mention
are particularly viable, at least not in IPSEC case.  The attack analysed is
chosen plaintext which wouldn't generally be possible.

Chris


> CBC is most probably used since it is 'an old and proven
> standard'. However there is a number of reasons why one would 
> prefer to
> use something else:
> 
> 1. CBC is a serial mode (in encryption). However, in many hardware and
>    software solutions would would prefer to use a parallel 
> mode instead.
>    (pipelined hardware chips, MMX/AltiVec-based implementations, ...)
> 
>    Thus CBC mode is unpleasant from an implementer point of view. See,
>    e.g. http://home.cyber.ee/helger/fastidea/ if you do not believe in
>    parallel software implementations :-)
> 
> 2. CBC can be attacked by birthday paradox and therefore efficiently
>    reduces the lifetime of a cipher (think about that: in linear
>    cryptanalysis you'll need 2^43 plaintext blocks to break 
> DES itself,
>    but actually you only need 2^32 plaintext blocks to break 
> DES in CBC 
>    mode). - that kind of birthday attacks are unavoidable if the
>    cipher is invertible.
> 
>    Thus, CBC mode is unsecure. See recent publications by 
> Mihir Bellare,
>    Phil Rogaway etc.
> 
> 3. CBC requires the cipher to be invertible but invertibility makes
>    ciphers much slower at the same level of security (compare 
> invertible
>    block ciphers - DES, IDEA, Rijndael - with non-invertible 
> MACs - UMAC).
>    It seems that an additional effort is required from 
> designers to make
>    the cipher invertible and still secure.
> 
>    Combined with 2, using a non-invertible cipher would be 
> beneficial both
>    from security and efficiency point of view and therefore 
> CBC should be
>    abandoned if possible.
> 
> Now, would it be possible? It would: use the counter mode. It 
> is parallel,
> does not require a cipher to be invertible, it allows 
> precomputation etc.
> Moreover, it can be used in combination with DES and other invertible
> ciphers such that birthday attacks will not apply. It is proven to be
> very secure in the case of strong underlying cipher.
> 
> Due to all of this, many cryptographers think that counter mode should
> replace CBC mode as a standard. I am myself a very strong supporter
> of this, too.
> 
> I am currently writing a draft of an internet draft on 
> counter mode that
> will be finished in a week or two. (If anyone would get a 
> preview of that,
> please directly contact me.) I hope it could then be considered as a
> (recommended but not required) part of IPSEC.
> 
> Helger Lipmaa
> http://home.cyber.ee/helger
> 
>

Follow-Ups:

RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Next by Date: RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Prev by thread: Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB?
Next by thread: RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Index(es):
- Main
- Thread