[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt

To: "Housley, Russ" <rhousley@rsasecurity.com>, "David A. Mcgrew" <mcgrew@cisco.com>
Subject: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
From: Alex Alten <Alten@attbi.com>
Date: Mon, 29 Jul 2002 11:42:22 -0700
Cc: ipsec@lists.tislabs.com
In-Reply-To: <5.1.0.14.2.20020729095412.02ecbc90@exna07.securitydynamics.com>
References: <FPELKLHKCBJLMMMNOGDFKEAHDLAA.mcgrew@cisco.com><6F0AA176DA68704884B7507AE6907E18091F4C@snake012.odetics.com>
Sender: owner-ipsec@lists.tislabs.com

At 09:59 AM 7/29/2002 -0400, Housley, Russ wrote:
>[Klaus]
>> > yes, I agree with you, I can not see any reason to use an external IV for
>> > AES CTR if algorithms easy can be defined for internal building of IV's 
>> with
>> > ESP sequence number and SPI. The only cryptographic requirement for the
>> > sequence of IV's is, that all the counter values, derived from all the
IV's
>> > over all the ESP packets, transformed by AES, are different as long as
one
>> > fixed key is used.
>
>[David]
>>that's right.  Additionally, some additional strength against attacks which
>>rely on precomputation of a database to use during the attack stage can be
>>gained by having the part of the counter be secret.
>
>We have discussed the inclusion of a secret component in the counter.  It 
>complicates the key management by requiring an additional secret value to 
>be managed.  If one is concerned about this type of dictionary attack, the 
>use of a longer AES key provides more protection without imposing 
>additional requirements on key management.
>
>Russ
>

I believe someone already has stated the problem will be to prevent the
counter
from repeating (or being predictable) with the same key. It's entropy in
practice
may be fairly low.  Also, there may be the fairly likely danger of shared keys
across multiple hosts which is deadly if any IV values commonly repeat on
different hosts (this helped to kill WEP).  I think this is the crux of the
matter,
and I don't think this can be solved with a software PRNG algorithm.  What I'd
recommend is to try to pull it from hardware, like the Intel P4 supporting
chipset.
If this is not possible maybe a large random seed can be placed on each
host, and
the PRNG is then used to pseudo-randomly mix/fold the seed bits. One can
get quite
a few "unpredictable" random IV values that way. There will be an exponential
decay in unpredictableness, but hopefull you can start high enough up on
the curve
for it to useful.  Eventually the seed would need to be refreshed, but if
it is
infrequent enough it could be done by hand.  The large seed should remain
secret
during its lifetime otherwise it will be subject to an inverse matrix
precomputation
attack.  It would be ideal if the PRNG had a large set of random small
seeds available
to it as well, so that the start of it's cycle per new session would be
unpredictable
(it too needs to be refreshed periodically).

- Alex

--

Alex Alten
Alten@ATTBI.com

Follow-Ups:
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: "David A. Mcgrew" <mcgrew@cisco.com>

References:
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: "David A. Mcgrew" <mcgrew@cisco.com>
- re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: Klaus Helbig <kfh@zyfer.com>
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: "Housley, Russ" <rhousley@rsasecurity.com>

Prev by Date: RE: Two AES encryption modes?
Next by Date: RE: Two AES encryption modes?
Prev by thread: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by thread: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Index(es):
- Date
- Thread