Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB?

[daw@cs.berkeley.edu (David A. Wagner)]

In article <38C437F4.3C7A71EF@cisco.com>,
David A. McGrew <mcgrew@cisco.com> wrote:
> there are some attacks to which stream ciphers, and ECB, OFB, and
> counter modes are more vulnerable than CBC mode.  Biham's key collision
> attack and Hellman's time-memory tradeoff attack [...]

I have to disagree with you on this point.

I believe the attacks you cited only work against OFB or counter mode
if you use a fixed IV (e.g., all zeros).  But it is well-known that
this is a bad idea, no matter what mode you use.

So I don't think these considerations should prevent us from using
counter mode.

Note that Steve Kent has pointed out concerns with the stream cipher
modes (although one can plausibly argue that there are systems-level
countermeasures available).

> As has already been pointed out, the O(2^32) attack against CBC is a
> chosen plaintext attack, and it only recovers a small number of unknown
> plaintext blocks.

I think there might be a small typo here.  The birthday attack against
CBC mode is a ciphertext-only attack (where a little bit of information
on the plaintext leaks), and is definitely not a chosen plaintext attack.

---

Follow-Ups:

• Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB?
• From: "David A. McGrew" <mcgrew@cisco.com>

References:

• Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?
• From: Helger Lipmaa <helger@cyber.ee>
• Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?
• From: "David A. McGrew" <mcgrew@cisco.com>

---

• Prev by Date: GRE extensions
• Next by Date: Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB?
• Prev by thread: Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB ?
• Next by thread: Re: Q: Why IPSEC to be used only in CBC mode & not other like CFBor OFB?
• Index(es):
  • Main
  • Thread