RE: [Ipsec] Comment about 3664bis-01
Pasi.Eronen@nokia.com Wed, 20 April 2005 05:48 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DO84d-0001UR-Sv; Wed, 20 Apr 2005 01:48:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DO84b-0001UK-12 for ipsec@megatron.ietf.org; Wed, 20 Apr 2005 01:48:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA29317 for <ipsec@ietf.org>; Wed, 20 Apr 2005 01:48:28 -0400 (EDT)
From: Pasi.Eronen@nokia.com
Received: from mgw-x3.nokia.com ([131.228.20.26]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DO8Fl-0005xb-0L for ipsec@ietf.org; Wed, 20 Apr 2005 02:00:01 -0400
Received: from esdks001.ntc.nokia.com (esdks001.ntc.nokia.com [172.21.138.120]) by mgw-x3.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3K5mON15858; Wed, 20 Apr 2005 08:48:24 +0300 (EET DST)
X-Scanned: Wed, 20 Apr 2005 09:07:40 +0300 Nokia Message Protector V1.3.34 2004121512 - RELEASE
Received: (from root@localhost) by esdks001.ntc.nokia.com (8.12.9/8.12.9) id j3K67ejB012433; Wed, 20 Apr 2005 09:07:40 +0300
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks001.ntc.nokia.com 00I1VQBL; Wed, 20 Apr 2005 09:07:38 EEST
Received: from esebh004.NOE.Nokia.com (esebh004.ntc.nokia.com [172.21.138.84]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3K5mDM13702; Wed, 20 Apr 2005 08:48:13 +0300 (EET DST)
Received: from esebe017.NOE.Nokia.com ([172.21.138.56]) by esebh004.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 20 Apr 2005 08:48:07 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebe017.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 20 Apr 2005 08:48:05 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Ipsec] Comment about 3664bis-01
Date: Wed, 20 Apr 2005 08:48:05 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F240C5E8A@esebe105.NOE.Nokia.com>
Thread-Topic: [Ipsec] Comment about 3664bis-01
thread-index: AcVFIXsr3mYwy/NfR8CiuvHHzJN56gASq0Eg
To: housley@vigilsec.com, ipsec@ietf.org
X-OriginalArrivalTime: 20 Apr 2005 05:48:05.0288 (UTC) FILETIME=[85C34A80:01C5456C]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Content-Transfer-Encoding: quoted-printable
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
I fully agree; that was just an example pointing out that unless we use a real "randomness extractor", there will be keys that are secure with all other PRFs, but not with AES-XCBC-MAC. Best regards, Pasi > -----Original Message----- > From: ext Russ Housley [mailto:housley@vigilsec.com] > Sent: Tuesday, April 19, 2005 11:50 PM > To: Eronen Pasi (Nokia-NRC/Helsinki); ipsec@ietf.org > Subject: Re: [Ipsec] Comment about 3664bis-01 > > > Pasi: > > The probability that all of the blocks are identical seems > very slim to me. > > Russ > > At 06:37 AM 4/19/2005, Pasi.Eronen@nokia.com wrote: > >draft-hoffman-rfc3664bis-01 says: > > > > > The key for AES-XCBC-PRF-128 is created as follows: > > > > > > o If the key is exactly 128 bits long, use it as-is. > > > > > > o If the key has fewer than 128 bits, pad it on the right with > > > zero bits until it is 128 bits long. > > > > > > o If the key is 129 bits or longer, call the first 128 bits > > > TKEY (temporary key) and the remaining bits TDATA (temporary > > > data). If TDATA's length is not a multiple of 128, pad TDATA > > > on the right with enough 0 bits to make its length an exact > > > multiple of 128. Encrypt each 128-bit block of TDATA with TKEY > > > using AES-128-EBC as the cipher. When finished, XOR the > > > resulting blocks in the same order as they were created. > > > >This way of using ECB mode fails horribly if, for instance, > >the input contains contains 128 bits of entropy, but for some > >strange reason consists of three copies of the same 128-bit > >block: the output would always be zero. > > > >What we really need here is a "randomness extractor" that > >produces a 128-bit output with sufficient entropy (with some > >suitable definitions of "sufficient" and "entropy") when > >given _any_ input with sufficient entropy, even if the input > >contains some known/guessable bits and/or structure. > > > >IKEv2 already assumes that AES-XCBC-PRF is a reasonable > >randomness extractor (when the key is chosen randomly), so > >something like this would IMHO be better: > > > > o If the key is 129 bits or longer, call the first 128 bits > > TKEY (temporary key) and the remaining bits TDATA (temporary > > data). Calculate AES-XCBC-PRF-128(TKEY, TDATA) and use > > the output as the key. > > > >But the assumption made here is slightly different from normal > >IKEv2 (where the key is Ni/Nr), so probably we should ask some > >crypto experts (Hugo, are you listening? :-) about this. > > > >Also, I'm not sure if doing this step only when the key is > >longer than 128 bits causes some problems, or whether it would > >be better to do it always (but then it would not be > >backwards-compatible with 3664 anymore). > > > >Best regards, > >Pasi > > > >_______________________________________________ > >Ipsec mailing list > >Ipsec@ietf.org > >https://www1.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Comment about 3664bis-01 Pasi.Eronen
- Re: [Ipsec] Comment about 3664bis-01 Russ Housley
- Re: [Ipsec] Comment about 3664bis-01 The Purple Streak, Hilarie Orman
- RE: [Ipsec] Comment about 3664bis-01 Pasi.Eronen
- RE: [Ipsec] Comment about 3664bis-01 Paul Hoffman