[Ipsec] Comment about 3664bis-01
Pasi.Eronen@nokia.com Tue, 19 April 2005 10:39 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DNq8W-0007yE-Av; Tue, 19 Apr 2005 06:39:21 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DNq8Q-0007y1-Vd for ipsec@megatron.ietf.org; Tue, 19 Apr 2005 06:39:15 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA26470 for <ipsec@ietf.org>; Tue, 19 Apr 2005 06:39:11 -0400 (EDT)
From: Pasi.Eronen@nokia.com
Received: from mgw-x3.nokia.com ([131.228.20.26]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DNqJP-0008Mf-Um for ipsec@ietf.org; Tue, 19 Apr 2005 06:50:37 -0400
Received: from esdks003.ntc.nokia.com (esdks003.ntc.nokia.com [172.21.138.158]) by mgw-x3.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3JAd5N24317 for <ipsec@ietf.org>; Tue, 19 Apr 2005 13:39:06 +0300 (EET DST)
X-Scanned: Tue, 19 Apr 2005 13:38:39 +0300 Nokia Message Protector V1.3.34 2004121512 - RELEASE
Received: (from root@localhost) by esdks003.ntc.nokia.com (8.12.9/8.12.9) id j3JAcdbS011118 for <ipsec@ietf.org>; Tue, 19 Apr 2005 13:38:39 +0300
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks003.ntc.nokia.com 00gGyE4p; Tue, 19 Apr 2005 13:38:07 EEST
Received: from esebh001.NOE.Nokia.com (esebh001.ntc.nokia.com [172.21.138.28]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3JAbmM22325 for <ipsec@ietf.org>; Tue, 19 Apr 2005 13:37:48 +0300 (EET DST)
Received: from esebe016.NOE.Nokia.com ([172.21.138.55]) by esebh001.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Tue, 19 Apr 2005 13:37:48 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebe016.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Tue, 19 Apr 2005 13:37:47 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 19 Apr 2005 13:37:47 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F240C5E81@esebe105.NOE.Nokia.com>
Thread-Topic: Comment about 3664bis-01
thread-index: AcVEy9Qd7qBbI9V6QSWKoTzNi/7mEg==
To: ipsec@ietf.org
X-OriginalArrivalTime: 19 Apr 2005 10:37:47.0911 (UTC) FILETIME=[D4335170:01C544CB]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081
Content-Transfer-Encoding: quoted-printable
Subject: [Ipsec] Comment about 3664bis-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
draft-hoffman-rfc3664bis-01 says:
> The key for AES-XCBC-PRF-128 is created as follows:
>
> o If the key is exactly 128 bits long, use it as-is.
>
> o If the key has fewer than 128 bits, pad it on the right with
> zero bits until it is 128 bits long.
>
> o If the key is 129 bits or longer, call the first 128 bits
> TKEY (temporary key) and the remaining bits TDATA (temporary
> data). If TDATA's length is not a multiple of 128, pad TDATA
> on the right with enough 0 bits to make its length an exact
> multiple of 128. Encrypt each 128-bit block of TDATA with TKEY
> using AES-128-EBC as the cipher. When finished, XOR the
> resulting blocks in the same order as they were created.
This way of using ECB mode fails horribly if, for instance,
the input contains contains 128 bits of entropy, but for some
strange reason consists of three copies of the same 128-bit
block: the output would always be zero.
What we really need here is a "randomness extractor" that
produces a 128-bit output with sufficient entropy (with some
suitable definitions of "sufficient" and "entropy") when
given _any_ input with sufficient entropy, even if the input
contains some known/guessable bits and/or structure.
IKEv2 already assumes that AES-XCBC-PRF is a reasonable
randomness extractor (when the key is chosen randomly), so
something like this would IMHO be better:
o If the key is 129 bits or longer, call the first 128 bits
TKEY (temporary key) and the remaining bits TDATA (temporary
data). Calculate AES-XCBC-PRF-128(TKEY, TDATA) and use
the output as the key.
But the assumption made here is slightly different from normal
IKEv2 (where the key is Ni/Nr), so probably we should ask some
crypto experts (Hugo, are you listening? :-) about this.
Also, I'm not sure if doing this step only when the key is
longer than 128 bits causes some problems, or whether it would
be better to do it always (but then it would not be
backwards-compatible with 3664 anymore).
Best regards,
Pasi
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Comment about 3664bis-01 Pasi.Eronen
- Re: [Ipsec] Comment about 3664bis-01 Russ Housley
- Re: [Ipsec] Comment about 3664bis-01 The Purple Streak, Hilarie Orman
- RE: [Ipsec] Comment about 3664bis-01 Pasi.Eronen
- RE: [Ipsec] Comment about 3664bis-01 Paul Hoffman