IETF Logo Mail Archive

RE: [Ipsec] Comment about 3664bis-01

Pasi.Eronen@nokia.com Wed, 20 April 2005 05:48 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DO84d-0001UR-Sv; Wed, 20 Apr 2005 01:48:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DO84b-0001UK-12 for ipsec@megatron.ietf.org; Wed, 20 Apr 2005 01:48:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA29317 for <ipsec@ietf.org>; Wed, 20 Apr 2005 01:48:28 -0400 (EDT)
From: Pasi.Eronen@nokia.com
Received: from mgw-x3.nokia.com ([131.228.20.26]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DO8Fl-0005xb-0L for ipsec@ietf.org; Wed, 20 Apr 2005 02:00:01 -0400
Received: from esdks001.ntc.nokia.com (esdks001.ntc.nokia.com [172.21.138.120]) by mgw-x3.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3K5mON15858; Wed, 20 Apr 2005 08:48:24 +0300 (EET DST)
X-Scanned: Wed, 20 Apr 2005 09:07:40 +0300 Nokia Message Protector V1.3.34 2004121512 - RELEASE
Received: (from root@localhost) by esdks001.ntc.nokia.com (8.12.9/8.12.9) id j3K67ejB012433; Wed, 20 Apr 2005 09:07:40 +0300
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks001.ntc.nokia.com 00I1VQBL; Wed, 20 Apr 2005 09:07:38 EEST
Received: from esebh004.NOE.Nokia.com (esebh004.ntc.nokia.com [172.21.138.84]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id j3K5mDM13702; Wed, 20 Apr 2005 08:48:13 +0300 (EET DST)
Received: from esebe017.NOE.Nokia.com ([172.21.138.56]) by esebh004.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 20 Apr 2005 08:48:07 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebe017.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 20 Apr 2005 08:48:05 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Ipsec] Comment about 3664bis-01
Date: Wed, 20 Apr 2005 08:48:05 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F240C5E8A@esebe105.NOE.Nokia.com>
Thread-Topic: [Ipsec] Comment about 3664bis-01
thread-index: AcVFIXsr3mYwy/NfR8CiuvHHzJN56gASq0Eg
To: housley@vigilsec.com, ipsec@ietf.org
X-OriginalArrivalTime: 20 Apr 2005 05:48:05.0288 (UTC) FILETIME=[85C34A80:01C5456C]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Content-Transfer-Encoding: quoted-printable
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

I fully agree; that was just an example pointing out that 
unless we use a real "randomness extractor", there will 
be keys that are secure with all other PRFs, but not with 
AES-XCBC-MAC. 

Best regards,
Pasi

> -----Original Message-----
> From: ext Russ Housley [mailto:housley@vigilsec.com]
> Sent: Tuesday, April 19, 2005 11:50 PM
> To: Eronen Pasi (Nokia-NRC/Helsinki); ipsec@ietf.org
> Subject: Re: [Ipsec] Comment about 3664bis-01
> 
> 
> Pasi:
> 
> The probability that all of the blocks are identical seems 
> very slim to me.
> 
> Russ
> 
> At 06:37 AM 4/19/2005, Pasi.Eronen@nokia.com wrote:
> >draft-hoffman-rfc3664bis-01 says:
> >
> > > The key for AES-XCBC-PRF-128 is created as follows:
> > >
> > > o  If the key is exactly 128 bits long, use it as-is.
> > >
> > > o  If the key has fewer than 128 bits, pad it on the right with
> > >    zero bits until it is 128 bits long.
> > >
> > > o  If the key is 129 bits or longer, call the first 128 bits
> > >    TKEY (temporary key) and the remaining bits TDATA (temporary
> > >    data).  If TDATA's length is not a multiple of 128, pad TDATA
> > >    on the right with enough 0 bits to make its length an exact
> > >    multiple of 128. Encrypt each 128-bit block of TDATA with TKEY
> > >    using AES-128-EBC as the cipher.  When finished, XOR the
> > >    resulting blocks in the same order as they were created.
> >
> >This way of using ECB mode fails horribly if, for instance,
> >the input contains contains 128 bits of entropy, but for some
> >strange reason consists of three copies of the same 128-bit
> >block: the output would always be zero.
> >
> >What we really need here is a "randomness extractor" that
> >produces a 128-bit output with sufficient entropy (with some
> >suitable definitions of "sufficient" and "entropy") when
> >given _any_ input with sufficient entropy, even if the input
> >contains some known/guessable bits and/or structure.
> >
> >IKEv2 already assumes that AES-XCBC-PRF is a reasonable
> >randomness extractor (when the key is chosen randomly), so
> >something like this would IMHO be better:
> >
> >    o If the key is 129 bits or longer, call the first 128 bits
> >      TKEY (temporary key) and the remaining bits TDATA (temporary
> >      data). Calculate AES-XCBC-PRF-128(TKEY, TDATA) and use
> >      the output as the key.
> >
> >But the assumption made here is slightly different from normal
> >IKEv2 (where the key is Ni/Nr), so probably we should ask some
> >crypto experts (Hugo, are you listening? :-) about this.
> >
> >Also, I'm not sure if doing this step only when the key is
> >longer than 128 bits causes some problems, or whether it would
> >be better to do it always (but then it would not be
> >backwards-compatible with 3664 anymore).
> >
> >Best regards,
> >Pasi
> >
> >_______________________________________________
> >Ipsec mailing list
> >Ipsec@ietf.org
> >https://www1.ietf.org/mailman/listinfo/ipsec
> 
> 

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email