[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two AES encryption modes?

To: David Wagner <daw@mozart.cs.berkeley.edu>
Subject: Re: Two AES encryption modes?
From: Dan McDonald <danmcd@east.sun.com>
Date: Mon, 29 Jul 2002 11:58:27 -0400 (EDT)
CC: ipsec@lists.tislabs.com
In-Reply-To: <ahq3j8$2qs$1@abraham.cs.berkeley.edu> from David Wagner at "Jul26, 2002 00:02:48 am"
Organization: Sun Microsystems, Inc. - Solaris Internet Engineering
Sender: owner-ipsec@lists.tislabs.com

David,

> >2. You want to use manual keying and therefore may send more than one
> >   packet with the same IV.  With CBC that doesn't compromise the
> >   confidentiality of the data; with counter mode it does.
> 
> Nitpick: CBC is not really as secure as one might like if IV's repeat,
> however it is true that IV reuse hurts CTR mode much worse than CBC mode.
> 
> If you reuse the same IV with CBC mode, there is some minor compromise
> of message confidentiality (shared plaintext prefixes show through as
> shared prefixes in the ciphertexts); in comparison, IV reuse in CTR mode
> is more devastating (it reveals both plaintexts).

Manual keying does NOT, I repeat NOT mean identical IVs.  The two
implementations I worked on (NRL, Solaris) use random (for "random" ==
/dev/urandom strength) IVs regardless of how IPsec SAs are derived.

Dan

Follow-Ups:
- Re: Two AES encryption modes?
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- RE: Two AES encryption modes?
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:
- Re: Two AES encryption modes?
  - From: daw@mozart.cs.berkeley.edu (David Wagner)

Prev by Date: Re: new version of ESP ID
Next by Date: Re: Two AES encryption modes?
Prev by thread: Re: Two AES encryption modes?
Next by thread: Re: Two AES encryption modes?
Index(es):
- Date
- Thread