Re: draft-ietf-ipsec-ciph-aes-ctr-00.txt

[Uri Blumenthal <uri@bell-labs.com>]

On Monday 29 July 2002 18:56, Alex Alten wrote:
> Thanks David,
>
> My misunderstanding of the IV generation details.  I just read your
> other explanation of the secret starting offset for the IV sequence.
> In your/Fluher's design, is this offset generated separately from
> the key bits?

Depending on how the key bits are generated, it may not matter.
For example, if the key bits are produced by a crypto-strong PRNG,
then the offset can be taken from that stream. [I admit that I 
personally would prefer a different source, possibly with a different 
keying of that same PRNG.]    Otherwise, there can be a big problem.

> What if the key is used repeatedly, or in the worst case shared
> among many hosts? 

Shouldn't matter - because anyway the key is used for more than one 
packet. What does matter is that the combination of Key+IV never 
repeats.  Good random seeding should take care of it, I think.

> What happens if a host reboots?  Does the secret
> offset start at the same initial value?  If not, how do you
> guarentee this?

Good questions.   

I'd say - seeding the generating PRNG with /dev/random output 
after host reboot should give a reasonably good assurance.

> BTW, I'm not completely clear on this aspect.  Does the sender
> completely control the IV sequence generation? 

He better!

> Can the receiver process incoming packets out-of-order or handle 
> dropped packets?

Again, he better. 
-- 
Regards,
Uri-David
-=-=-<>-=-=-
<Disclaimer>