[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE

To: "'Dan McDonald'" <danmcd@East.Sun.COM>, "'Sandy Harris'" <sandy@storm.ca>
Subject: RE: Simplifying IKE
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Thu, 9 Aug 2001 12:45:38 +0100
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-reply-to: <200108080219.f782JIp00242@kebe.east.sun.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> > > 4. modify ESP to ensure it authenticates all data used in
> the deciphering
> >          of the payload
> >
> > This is the only recommendation in this paper based on a
> direct security
> > flaw, with a proposed attack to demonstrate it. There are
> others in the
> > Simpson paper.
>
> And if you use Choice 3a above, you get this for free - AH
> covers the whole
> ESP datagram, SPI/IV/etc.


If my memory serves me correctly, Ferguson/Schneier were actually suggesting
that

1. encryption be applied AFTER authentication

or, failing that, that

2. the encryption/decryption key be included in the data which is hashed

This is to prevent an esoteric attack they describe which is infeasible and
wouldn't cause any damage anyway. That is not a compelling reason to
redesign ESP.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.

References:

Re: Simplifying IKE

From: Dan McDonald <danmcd@East.Sun.COM>

Prev by Date: RE: Simplifying IKE
Next by Date: RE: Simplifying IKE
Prev by thread: Re: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread