[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CBC makes Implementations too Slow.

To: "ipsec" <ipsec@lists.tislabs.com>
Subject: Re: CBC makes Implementations too Slow.
From: "mahdavi" <mahdavi110@yahoo.com>
Date: Fri, 30 Nov 2001 02:56:40 +0330
References: <20011031005533.B51867C01@berkshire.research.att.com><Pine.A32.3.96.1011128155047.29234E-100000@archmage.austin.ibm.com> <15366.18464.416439.388616@pkoning.dev.equallogic.com>
Sender: owner-ipsec@lists.tislabs.com

Hi.
And other way to encrease speed and also not to loose security and also not
to pay for Overhead is to generate a random number for IV to use with first
block and generate other IVs for other Blocks based on this IV and number of
block.

I mean this.

(P satnds for Plain block, C stands for Ciphered Block, F is a function, S
is Security function.)


IV ( 0 ) = a random number; C ( 0 ) = S ( P(0) , IV ( 0 ) ) ; // may be S
 P (0) XOR IV ( 0 )

for i from 0 till end of Block
    IV ( i ) = F ( IV ( i - 1 ) ) ;  C ( i ) = S ( P ( i ) , IV ( i ) ) ; //
may be S ( P (0) XOR IV ( 0 )


If F be a right function that is known with both end node and be simple that
can be generated as fast we will gain all option that I mentioned.

In this way a very Efficient pipeline can be made.



----- Original Message -----
From: "Paul Koning" <ni1d@arrl.net>
To: <mikecyr@austin.ibm.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Thursday, November 29, 2001 6:07 PM
Subject: Re: CBC makes Implementations too Slow.


> >>>>> "Michael" == Michael Cyr <mikecyr@austin.ibm.com> writes:
>
>  Michael> On Tue, 30 Oct 2001, Steven M. Bellovin wrote:
>  >> CBC mode requires feedback, which makes it impossible to pipeline
>  >> encryptions; you can't encrypt plaintext block P[n+1] until you
>  >> have the ciphertext from encrypting P[n].
>
>  Michael> I know this discussion was a while ago, but I have a
>  Michael> question related to the problem.  First, let me say that I'm
>  Michael> new to the list, and still somewhat new to IPsec in general,
>  Michael> so I hope you'll forgive any ignorance on my part.
>
>  Michael> Would it be a complete violation of the protocol to use
>  Michael> random data for the IV data instead of a portion of the
>  Michael> ciphertext of the previous block?  I know this violates the
>  Michael> spirit of cipher block _chaining_, but it would seem to
>  Michael> address the concern that CBC was meant to fix, which is to
>  Michael> ensure that if the same cleartext is encrypted twice, it
>  Michael> doesn't produce the same ciphertext.  Anyone have a
>  Michael> definitive answer on this?
>
> My reading of the spec is that this is perfectly legal.  The one thing
> you're not supposed to do is to use a low entropy IV value, such as a
> packet counter.
>
> That doesn't fix the performance problem for a single packet, though.
> You can do each packet independently if you use a random IV, but each
> plaintext block *within* the packet is still dependent on the previous
> block.
>
> On the other hand, using independent IVs per packet provides a useful
> gain if you have a number of packets pending (for the same SA) -- you
> can then encrypt them in parallel.  In high load cases you will almost
> certainly have multiple packets waiting to be processed, so this
> should indeed give you a significant performance gain.
>
>     paul



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Follow-Ups:

Re: CBC makes Implementations too Slow.

From: Derek Atkins <warlord@mit.edu>

References:

Re: CBC makes Implementations too Slow.

From: Michael Cyr <mikecyr@austin.ibm.com>

Re: CBC makes Implementations too Slow.

From: Paul Koning <ni1d@arrl.net>

Prev by Date: Re: SOI: identity protection and DOS
Next by Date: Re: Gee, shared secrets suck (was: Re: SOI: identity protection and DOS)
Next by thread: Re: Status of ID: IPsec Flow Monitoring MIB
Index(es):
- Main
- Thread