RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

["Yoav Nir" <ynir@CheckPoint.com>]

The problem with WEP is that although there's a secret part to the key (40
or 104 bits), that part never changes.  The IV is 24 bits which means that
there are only 2^24 possible streams.  Even assuming that the IVs are
uniformly random, you can expect collisions after a few thousand packets.

But we're not here to discuss WEP.  I only brought it up as an example of
how key-length does not equal security.

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Henry Spencer
Sent: Monday, June 16, 2003 6:14 PM
To: IP Security List
Subject: Re: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms


On Mon, 16 Jun 2003, Bill Sommerfeld wrote:
> > Correct.  The cipher is RC4, which is (last I heard) still thought to be
> > okay.
>
> Okay, but not great.
> RC4 is a stream cipher which comes with additional special handling
> recommendations ("For best results, discard first N bytes of output
> after keying").

My impression is that said recommendation applies only with non-random
keys.  When I dug into this (albeit briefly) a while back, I was unable to
find any source for that recommendation which didn't trace back to WEP's
disastrously non-random key-generation procedure.

I would be curious to know whether this is still an issue *with* good
random-bits keys.  (With a reference, not just folklore; my suspicion is
that the WEP problem is being over-generalized in the folklore.)

                                                          Henry Spencer
                                                       henry@spsystems.net