[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?



Rupesh, Helger,

Helger Lipmaa wrote:
> 
> On Fri, 25 Feb 2000, rupesh wrote:
> 
> > I had read nearly all RFC'c of Ipsec , everywhere it talks about CBC
> > mode implementation only. why Ipsec should not be used in other modes
> > like CFB or OFB ? Please anyone can give me answer to above question
> > or forward me a link.....
> 

there are some attacks to which stream ciphers, and ECB, OFB, and
counter modes are more vulnerable than CBC mode.  Biham's key collision
attack and Hellman's time-memory tradeoff attack are both described as
attacks on ECB mode block ciphers, though they can be applied to all of
the ciphers/modes mentioned above.  Hellman's attack uses precomputation
to amortize the computational cost of finding a secret key over multiple
attacks, significantly lowering the average cost of an attack.  Biham's
attack works when the same plaintext is encrypted under many distinct
keys, and can find a secret key with significant advantage over
exhaustive search when many ciphertexts are available.

Biham described his attack in a paper called "How to forge DES encrypted
messages with O(2^28) work".  This paper is available on his website at
http://www.cs.technion.ac.il/~biham/.  Hellman's attack originally
appeared in his paper in IEEE Transactions on Information Theory circa
1979, and it is not available online.  Stinson's book "Cryptography:
Theory and Practice" describes how that attack works.

I am currently working on an analysis of these attacks for IPSEC, in
support of an upcoming stream cipher encryption draft for IPSEC. 

> CBC is most probably used since it is 'an old and proven
> standard'. However there is a number of reasons why one would prefer to
> use something else:
> 
> 1. CBC is a serial mode (in encryption). However, in many hardware and
>    software solutions would would prefer to use a parallel mode instead.
>    (pipelined hardware chips, MMX/AltiVec-based implementations, ...)
> 
>    Thus CBC mode is unpleasant from an implementer point of view. See,
>    e.g. http://home.cyber.ee/helger/fastidea/ if you do not believe in
>    parallel software implementations :-)
> 
> 2. CBC can be attacked by birthday paradox and therefore efficiently
>    reduces the lifetime of a cipher (think about that: in linear
>    cryptanalysis you'll need 2^43 plaintext blocks to break DES itself,
>    but actually you only need 2^32 plaintext blocks to break DES in CBC
>    mode). - that kind of birthday attacks are unavoidable if the
>    cipher is invertible.
> 
>    Thus, CBC mode is unsecure. See recent publications by Mihir Bellare,
>    Phil Rogaway etc.

As has already been pointed out, the O(2^32) attack against CBC is a
chosen plaintext attack, and it only recovers a small number of unknown
plaintext blocks.  It is a potential threat, though a minor one that is
easily defended against by limiting the number of blocks encrypted under
a single key.

> 
> 3. CBC requires the cipher to be invertible but invertibility makes
>    ciphers much slower at the same level of security (compare invertible
>    block ciphers - DES, IDEA, Rijndael - with non-invertible MACs - UMAC).
>    It seems that an additional effort is required from designers to make
>    the cipher invertible and still secure.
> 

Agreed.  Secure stream ciphers appear to be faster than secure block
ciphers.

>    Combined with 2, using a non-invertible cipher would be beneficial both
>    from security and efficiency point of view and therefore CBC should be
>    abandoned if possible.
> 
> Now, would it be possible? It would: use the counter mode. It is parallel,
> does not require a cipher to be invertible, it allows precomputation etc.
> Moreover, it can be used in combination with DES and other invertible
> ciphers such that birthday attacks will not apply. It is proven to be
> very secure in the case of strong underlying cipher.
> 
> Due to all of this, many cryptographers think that counter mode should
> replace CBC mode as a standard. I am myself a very strong supporter
> of this, too.
> 
> I am currently writing a draft of an internet draft on counter mode that
> will be finished in a week or two. (If anyone would get a preview of that,
> please directly contact me.) I hope it could then be considered as a
> (recommended but not required) part of IPSEC.
> 
> Helger Lipmaa
> http://home.cyber.ee/helger

I would like to read your draft.  Could you please forward me a copy?

thanks,

David
mcgrew@cisco.com


Follow-Ups: References: