[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST comments on counter mode

To: ipsec@lists.tislabs.com
Subject: NIST comments on counter mode
From: Barbara Fraser <byfraser@cisco.com>
Date: Fri, 22 Nov 2002 10:20:40 -0800
Sender: owner-ipsec@lists.tislabs.com

Folks,

Last August when the issue of FIPS-140 evaluation was mentioned, Ted and I dropped a quick note to NIST to get their input. Arguably, we should have cc'd the wg but at the time we were also trying to cool some heated communications. That being said, it does make sense to get this exchange included in the working group archives, and this week I asked and received permission from Bill Burr to forward his email to the list.

Barb

============

X-Sender: wburr@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 14 Aug 2002 13:56:04 -0400
From: Bill Burr <william.burr@nist.gov>
Subject: Re: AES Counter Mode and SHA-256

Ted,

It may well be that it would be cleaner from an implementation and validation point of view to separate the encryption counter field from the packet sequence.

I suspect that, if you were making a totally new IPSec implementation from scratch, or designing the whole protocol from scratch, it wouldn't be any big deal to use the packet sequence counter as the encryption counter. But I would imagine that, when you are adding a new counter encryption mode to an existing IPSec protocol or implementation, it might well simplify your life to use a separate counter IV field, because otherwise you might well need to expand the crypto module boundary significantly to encompass a counter driven from the packet sequence number, and you may not have built your existing code with that in mind at all. I can't believe that killing the two birds with the one counter makes FIPS 140 validation impossible, but I could easily believe that it might double your implementation and validation costs for the counter mode, or worse.

My intuition tells me that the cleanest, easiest way to add a secure, easily validated counter mode in IPSEC is to use a separate counter IV in every packet. This comes, of course, at the expense of extra overhead in every packet. But we at NIST are not the best people to estimate the cost to actual implementations of validating either solution.

I'm just saying that NIST isn't a priori ruling out driving your counter from your packet sequence number. In fact that is the sort of thing we had thought a lot of folks would want to do.

Bill Burr

At 12:08 PM 8/14/02 -0400, Theodore Ts'o wrote:

On Wed, Aug 14, 2002 at 11:00:42AM -0400, Bill Burr wrote:
>
> So the bottom line is that an implicit counter synchronization mechanism
> should not itself any bar to FIPS 140-2 validation of IPSEC implantations
> of a counter mode. But in cryptography, the details matter, and we don't
> have a lot of counter mode FIPS 140 precedent yet to work from. Pioneers
> in FIPS new kinds of 140 validations, like pioneers generally, tend to step
> in unmarked holes. When we allow the kind of flexibility we have with
> counter mode, that makes the validation lab's job harder, and we have to
> come up with the precise test requirements that the labs must apply.
>

Bill,

Thanks for your comments. The specific question which has come up is
with AES counter mode, and whether or not the IV should be generated
from the normal IPSEC packet sequence, or whether the IV should be
divorced from the IPSEC packet sequence number.

The argument in favor of divorcing the AES counter mode IV from the
IPSEC sequence counter is that it means that the code which handles
the IPSEC packet sequence number (which would drag in largish portions
of the IKE implementation) into the parts of the code which would need
to be validated for FIPS 140 purposes. If a separate field were used,
which was included in the ESP headers, then (so the argument goes)
only the ESP implementation would need FIPS 140 validation. (Steve,
please correct me if I haven't stated your concerns cogently.)

The argument on the other side of this issue is that the extra field
adds bulk to the packet size, and this overhead might be an issue in
certain applications.

There are unsettled points on both sides of this issue. On the
"overhead is bad" side, it is unclear whether or not the overhead is
in fact really a major problem, since it depends very much on the
application, and complete details of example applications where this
would be a problem has yet to be forthcoming.

On the "keep the code that needs to be evaluated small" argument, I
don't yet understand what the impacts would be of (in the worst case)
the entire IKE implementation in a FIPS 140 validation. Does it make
the validation impossible? Does it raise the costs by a factor of 2?
10? 100? 1000?

Many thanks for taking the time to look at this issue.

- Ted

William E. Burr
NIST
Manager, Security Technology Group
301-975-2914
william.burr@nist.gov

Prev by Date: Re: SPD policy document/article
Next by Date: Re: SPD policy document/article
Prev by thread: RE: Counter Mode Security: Attacks, Storage & a Proposal
Next by thread: Changing the cookie order in IKEv2
Index(es):
- Date
- Thread