[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?



On Fri, 3 Mar 2000, Paul Koning wrote:

> I view the sequence number stuff as part of the crypto system, but I
> suppose opinions might differ on that.  In that case, how about
> adopting the explicit "IV" approach here as well (where "IV" is
> actually the high N bits of the counter)?  That way the same block
> that you currently trust to do IVs properly can pass the initial
> counter value for the block properly.  For a lot of implementations
> that field would then merely be a copy of the sequence number, but
> you'd be able to source it independently.

Some remarks. Counter mode is the strongest if you use _every_ counter
only once, and if you use (say) keyed hash function (or a designated
construction) instead of a block cipher. If you use the counter only once,
it does not matter what is the specific order. Chosen IV attacks can break
the mode, but that is also the case forthe CBC mode (in the counter mode
the result is more devastating however: XOR of every two ciphertext block
reveals the XOR of corresponding plaintext blocks.  Note that in the case
of CBC mode only XOR or the first two ciphertext blocks would reveal the
XOR of corresponding plaintext blocks. (so quantitatively, chosen IV
attacks are more dangerous against the counter mode than against the CBC
mode. however, since also some information would leak out from the CBC
mode, using the same IV/counter should be prohibited in both modes).

The problem with sequence number concatenated with packet number used as
counters is that some counter space would be lost: e.g. if sequence
numbers are 32-bit numbers and packets are not longer than 2^16 blocks
(where a block could be 8, 16 or 32 bytes) in length, there would be no
more than 2^48 different counters. Of course, that is still better than
the security of 2^32 offered by the CBC mode. And in this case more than
2^48 encrypted blocks should not be sent anyways (otherwise ESP counter
would zero again).

Of course, bd paradox can be avoided only if the cipher is
non-invertible. Fortunately, a lot of good constructions are known for
that. UMAC by Halevi etc could be used for that. Or keyed SHA-1. Or
Bellare-Impagliazzo construction based on block ciphers.

More in the draft... (which is also going to be submitted as a public
comment for the NIST to consider at the AES process).

Helger Lipmaa
Küberneetika AS
http://home.cyber.ee/helger



Follow-Ups: References: