[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Ipsec] a new draft
Dear Yoav Nir,
Thank you very much for this good point.
I should have remembered the birthday attack
problem. :-)
IV is one of our concerns when writing this document.
That is why we also suggest to use another hash
operation over the "IV" field to generate a random IV
for encryption and decryption. We feel that it is
worth to have the anti-replay service at the cost of
only one hash operation.
Sincerely,
fan
> Hi.
> As you state in section 3.5.2, there is a requirement for the IV to be
> unique within the lifetime of the key.
> Suppose we are using 3DES-CBC, and replacing the key after 1,000,000 IP
> packets have been sent. If you generate the full 64-bit IV randomly, the
> chances of a collision (two IVs being identical) are 0.0000027%. That's
> low
> enough that most of us will accept the risk.
> If we fix 16 bits of the IV, and generate only 48 random bits, then the
> likelihood of a collision rises to 0.177%, which may very well be
> unacceptable to many.
> With AES-CBC, this is not a problem, as 112 bits of randomness are
> plenty.
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec