[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?



>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:

 Chris> The main issue with counter mode is the requirement to avoid
 Chris> using the same values twice.  This might not sound like much
 Chris> but it's the sort of thing that gives evaluators nightmares.
 >>  That's a fair issue, but I can't see it being a fatal problem.
 >> The same requirement already exists for sequence numbers.  As has
 >> been mentioned already (a few weeks ago, I think, perhaps in a
 >> different venue) you could concatenate the ESP sequence number
 >> with the block in packet number to make the counter number.

 Stephen> It's dangerous for a crypto system to accept a value from
 Stephen> "outside" as a basis for generating key stream, especially
 Stephen> for a mode such as this.  So, if software in my IPSec system
 Stephen> maintained the ESP sequence number and handed the formatted
 Stephen> packet into the crypto, which the made use of that
 Stephen> externally provided value for counter mode control, I'd
 Stephen> question the assurance of the resulting encryption system.
 Stephen> That's one of the reasons why we have discouraged implicit
 Stephen> IVs for CBC modes.

I view the sequence number stuff as part of the crypto system, but I
suppose opinions might differ on that.  In that case, how about
adopting the explicit "IV" approach here as well (where "IV" is
actually the high N bits of the counter)?  That way the same block
that you currently trust to do IVs properly can pass the initial
counter value for the block properly.  For a lot of implementations
that field would then merely be a copy of the sequence number, but
you'd be able to source it independently.

Then again, if the rule is that it contains a copy of the sequence
number, the crypto module can simply check that property rather than
taking it on faith.  After all, it will be running the header,
including that sequence number, through the authentication hash.

	paul



Follow-Ups: References: