[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt

To: uri@bell-labs.com
Subject: Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
From: Alex Alten <Alten@attbi.com>
Date: Tue, 30 Jul 2002 01:00:11 -0700
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200207300009.UAA26060@nwmail.wh.lucent.com>
References: <3.0.3.32.20020729155630.013bbfc8@mail><3.0.3.32.20020729114222.015fdaa8@mail><3.0.3.32.20020729155630.013bbfc8@mail>
Sender: owner-ipsec@lists.tislabs.com

Hello Uri,

At 08:07 PM 7/29/2002 -0400, Uri Blumenthal wrote:
>On Monday 29 July 2002 18:56, Alex Alten wrote:
>> Thanks David,
>>
>> My misunderstanding of the IV generation details.  I just read your
>> other explanation of the secret starting offset for the IV sequence.
>> In your/Fluher's design, is this offset generated separately from
>> the key bits?
>
>Depending on how the key bits are generated, it may not matter.
>For example, if the key bits are produced by a crypto-strong PRNG,
>then the offset can be taken from that stream. [I admit that I 
>personally would prefer a different source, possibly with a different 
>keying of that same PRNG.]    Otherwise, there can be a big problem.
>
>> What if the key is used repeatedly, or in the worst case shared
>> among many hosts? 
>
>Shouldn't matter - because anyway the key is used for more than one 
>packet. What does matter is that the combination of Key+IV never 
>repeats.  Good random seeding should take care of it, I think.
>

Yes, but how do you get good random seeding?  This requires much 
more frequent reseeding than keys themselves need rekeying.  A PRNG
cannot produce more entropy than the original seed bits. This means
that for a given key a significant fraction of the encrypted IV+cntr
blocks from session to session will be likely to repeat.

>> What happens if a host reboots?  Does the secret
>> offset start at the same initial value?  If not, how do you
>> guarentee this?
>
>Good questions.   
>
>I'd say - seeding the generating PRNG with /dev/random output 
>after host reboot should give a reasonably good assurance.
>
>> BTW, I'm not completely clear on this aspect.  Does the sender
>> completely control the IV sequence generation? 
>
>He better!

OK.  What if he's a $300 IPsec box?  What guarentee do you have
that the IV sequence generation is done well?  What quality of random
source can be expected on this low-end device?

>
>> Can the receiver process incoming packets out-of-order or handle 
>> dropped packets?
>
>Again, he better. 

What about fragmented packets?

Regards,

- Alex

>-- 
>Regards,
>Uri-David
>-=-=-<>-=-=-
><Disclaimer>
>
--

Alex Alten
Alten@ATTBI.com

Follow-Ups:
- Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: Uri Blumenthal <uri@bell-labs.com>

References:
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: Alex Alten <Alten@attbi.com>
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: Alex Alten <Alten@attbi.com>
- Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: Uri Blumenthal <uri@bell-labs.com>

Prev by Date: RE: Two AES encryption modes?
Next by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by thread: Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Index(es):
- Date
- Thread