[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] a new draft




Dear Yoav Nir,

Thank you very much for this good point.
I should have remembered the birthday attack 
problem. :-)

IV is one of our concerns when writing this document.
That is why we also suggest to use another hash 
operation over the "IV" field to generate a random IV
for encryption and decryption. We feel that it is 
worth to have the anti-replay service at the cost of
only one hash operation. 

Sincerely,
fan 


> Hi.

> As you state in section 3.5.2, there is a requirement for the IV to be
> unique within the lifetime of the key.

> Suppose we are using 3DES-CBC, and replacing the key after 1,000,000 IP
> packets have been sent.  If you generate the full 64-bit IV randomly, the
> chances of a collision (two IVs being identical) are 0.0000027%.  That's 
> low
> enough that most of us will accept the risk.
> If we fix 16 bits of the IV, and generate only 48 random bits, then the
> likelihood of a collision rises to 0.177%, which may very well be
> unacceptable to many.

> With AES-CBC, this is not a problem, as 112 bits of randomness are 
> plenty.


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec