[dtn-security] CBC or counter mode?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 26 July 2006 20:12 UTC

Received: from imx2.tcd.ie (imx2.tcd.ie []) by webbie.berkeley.intel-research.net (8.11.6/8.11.6) with ESMTP id k6QKCXY12085; Wed, 26 Jul 2006 13:12:33 -0700
Received: from Vams.imx2 (imx2.tcd.ie []) by imx2.tcd.ie (Postfix) with SMTP id 4B1F56814E; Wed, 26 Jul 2006 21:12:27 +0100 (IST)
Received: from imx2.tcd.ie ([]) by imx2.tcd.ie ([]) with SMTP (gateway) id A01D3847E60; Wed, 26 Jul 2006 21:12:27 +0100
Received: from [] (unknown []) by imx2.tcd.ie (Postfix) with ESMTP id 456DB6814E; Wed, 26 Jul 2006 21:12:27 +0100 (IST)
Message-ID: <44C7CCAA.7030209@cs.tcd.ie>
Date: Wed, 26 Jul 2006 21:12:26 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird (Windows/20060516)
MIME-Version: 1.0
To: dtn-security@mailman.dtnrg.org
Cc: DTN <dtn-interest@mailman.dtnrg.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiVirus-Status: MessageID = A11D3847E60
X-AntiVirus-Status: Host: imx2.tcd.ie
X-AntiVirus-Status: Action Taken:
X-AntiVirus-Status: NONE
X-AntiVirus-Status: Checked by TCD Vexira. (version=1.56.3 VDF=8.1266)
Subject: [dtn-security] CBC or counter mode?
Sender: dtn-security-admin@mailman.dtnrg.org
Errors-To: dtn-security-admin@mailman.dtnrg.org
X-BeenThere: dtn-security@mailman.dtnrg.org
X-Mailman-Version: 2.0.13
Precedence: bulk
Reply-To: dtn-security@mailman.dtnrg.org
List-Unsubscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@mailman.dtnrg.org?subject=unsubscribe>
List-Id: DTN Security Discussion <dtn-security.mailman.dtnrg.org>
List-Post: <mailto:dtn-security@mailman.dtnrg.org>
List-Help: <mailto:dtn-security-request@mailman.dtnrg.org?subject=help>
List-Subscribe: <http://mailman.dtnrg.org/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@mailman.dtnrg.org?subject=subscribe>
List-Archive: <http://mailman.dtnrg.org/pipermail/dtn-security/>

In the current bundle security spec [1] we define a confidentiality
ciphersuite (CH-RSA-AES-PAYLOAD-PSH) that uses AES's cipher-block
chaining (CBC) mode of operation.

CBC mode means that all ciphertext bits depend on all previous
ciphertext bits, so you if you loose some bits from the middle
of the bundle payload then you can no longer decrypt the bits
that follow.

There are other modes of operation generally termed "counter mode"
which do allow for decryption even if some bits get lost. Generally
these modes are a little trickier since its easier to misuse them
and do the wrong security thing, but that's a problem we can solve.
Counter mode is also better from the p-o-v of parallel processing
but I don't think that matters as much here as the improved support
for fragmentation.

So, should we change from CBC to counter mode? I think we should
and that we should decide that now, since there are folks writing
code and it'd be better if we get this done before they release
their stuff. (There is an alternative which is to define two
ciphersuites but that makes the security document longer which is
a bad thing.)