Re: Death to AH (was Re: SA identification)

["Valery Smyslov" <svan@trustworks.com>]

On 23 Mar 01, at 15:17, Steven M. Bellovin wrote:

[...]

> >3) make authentication mandatory for ESP
> 
> Agreed.

[...]

> >4) modify ESP to ensure it authenticates all data used in deciphering
> 
> I don't have the paper handy, but how is this different from (3)?

The paper criticized IPsec's order of performing encryption and 
authentication (for outgoing packets first encrypt, then 
authenticate), making reference to "Horton principle" (authenticate 
what was meant, not what was said). The authors confessed that the 
current order helped fast discarding of fake packets, but questioned, 
whether it was really important and, if so, suggested to at least 
include decryption key in authenticated data.

> >6) modify KEYMAT derivation
> >7) modify hashing
> >8) modify phase 2 KEYMAT derivation
> 
> Anything to simplify IKE!

Actually, the paper's suggestions on these issues don't lead to 
simplification of IKE - just to fixing some IKE security weaknesses. 
BTW, the authors seemed to make some mistakes in their analysis here, 
for example, they stated that HMAC algorithm cannot be used with keys 
longer than 64 bytes...

> 		--Steve Bellovin, http://www.research.att.com/~smb

Regards,
Valery Smyslov.

---

References:

• Re: Death to AH (was Re: SA identification)
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: Re: Death to AH (was Re: SA identification)
• Next by Date: Re: Death to AH (was Re: SA identification)
• Prev by thread: Re: Death to AH (was Re: SA identification)
• Next by thread: Re: Death to AH (was Re: SA identification)
• Index(es):
  • Main
  • Thread