[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?
Rupesh, Helger,
Helger Lipmaa wrote:
>
> On Fri, 25 Feb 2000, rupesh wrote:
>
> > I had read nearly all RFC'c of Ipsec , everywhere it talks about CBC
> > mode implementation only. why Ipsec should not be used in other modes
> > like CFB or OFB ? Please anyone can give me answer to above question
> > or forward me a link.....
>
there are some attacks to which stream ciphers, and ECB, OFB, and
counter modes are more vulnerable than CBC mode. Biham's key collision
attack and Hellman's time-memory tradeoff attack are both described as
attacks on ECB mode block ciphers, though they can be applied to all of
the ciphers/modes mentioned above. Hellman's attack uses precomputation
to amortize the computational cost of finding a secret key over multiple
attacks, significantly lowering the average cost of an attack. Biham's
attack works when the same plaintext is encrypted under many distinct
keys, and can find a secret key with significant advantage over
exhaustive search when many ciphertexts are available.
Biham described his attack in a paper called "How to forge DES encrypted
messages with O(2^28) work". This paper is available on his website at
http://www.cs.technion.ac.il/~biham/. Hellman's attack originally
appeared in his paper in IEEE Transactions on Information Theory circa
1979, and it is not available online. Stinson's book "Cryptography:
Theory and Practice" describes how that attack works.
I am currently working on an analysis of these attacks for IPSEC, in
support of an upcoming stream cipher encryption draft for IPSEC.
> CBC is most probably used since it is 'an old and proven
> standard'. However there is a number of reasons why one would prefer to
> use something else:
>
> 1. CBC is a serial mode (in encryption). However, in many hardware and
> software solutions would would prefer to use a parallel mode instead.
> (pipelined hardware chips, MMX/AltiVec-based implementations, ...)
>
> Thus CBC mode is unpleasant from an implementer point of view. See,
> e.g. http://home.cyber.ee/helger/fastidea/ if you do not believe in
> parallel software implementations :-)
>
> 2. CBC can be attacked by birthday paradox and therefore efficiently
> reduces the lifetime of a cipher (think about that: in linear
> cryptanalysis you'll need 2^43 plaintext blocks to break DES itself,
> but actually you only need 2^32 plaintext blocks to break DES in CBC
> mode). - that kind of birthday attacks are unavoidable if the
> cipher is invertible.
>
> Thus, CBC mode is unsecure. See recent publications by Mihir Bellare,
> Phil Rogaway etc.
As has already been pointed out, the O(2^32) attack against CBC is a
chosen plaintext attack, and it only recovers a small number of unknown
plaintext blocks. It is a potential threat, though a minor one that is
easily defended against by limiting the number of blocks encrypted under
a single key.
>
> 3. CBC requires the cipher to be invertible but invertibility makes
> ciphers much slower at the same level of security (compare invertible
> block ciphers - DES, IDEA, Rijndael - with non-invertible MACs - UMAC).
> It seems that an additional effort is required from designers to make
> the cipher invertible and still secure.
>
Agreed. Secure stream ciphers appear to be faster than secure block
ciphers.
> Combined with 2, using a non-invertible cipher would be beneficial both
> from security and efficiency point of view and therefore CBC should be
> abandoned if possible.
>
> Now, would it be possible? It would: use the counter mode. It is parallel,
> does not require a cipher to be invertible, it allows precomputation etc.
> Moreover, it can be used in combination with DES and other invertible
> ciphers such that birthday attacks will not apply. It is proven to be
> very secure in the case of strong underlying cipher.
>
> Due to all of this, many cryptographers think that counter mode should
> replace CBC mode as a standard. I am myself a very strong supporter
> of this, too.
>
> I am currently writing a draft of an internet draft on counter mode that
> will be finished in a week or two. (If anyone would get a preview of that,
> please directly contact me.) I hope it could then be considered as a
> (recommended but not required) part of IPSEC.
>
> Helger Lipmaa
> http://home.cyber.ee/helger
I would like to read your draft. Could you please forward me a copy?
thanks,
David
mcgrew@cisco.com
Follow-Ups:
References: