Re: [Ipsec] Comment about 3664bis-01
Russ Housley <housley@vigilsec.com> Tue, 19 April 2005 20:50 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DNzfV-0006VR-30; Tue, 19 Apr 2005 16:50:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DNzfQ-0006SY-Ce for ipsec@megatron.ietf.org; Tue, 19 Apr 2005 16:49:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25598 for <ipsec@ietf.org>; Tue, 19 Apr 2005 16:49:53 -0400 (EDT)
Received: from woodstock.binhost.com ([144.202.243.4]) by ietf-mx.ietf.org with smtp (Exim 4.33) id 1DNzqV-0007im-J5 for ipsec@ietf.org; Tue, 19 Apr 2005 17:01:24 -0400
Received: (qmail 28102 invoked by uid 0); 19 Apr 2005 20:49:46 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.135.227) by woodstock.binhost.com with SMTP; 19 Apr 2005 20:49:46 -0000
Message-Id: <6.2.0.14.2.20050419164905.05f99640@mail.binhost.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Tue, 19 Apr 2005 16:49:47 -0400
To: Pasi.Eronen@nokia.com, ipsec@ietf.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [Ipsec] Comment about 3664bis-01
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F240C5E81@esebe105.NOE.Nokia. com>
References: <B356D8F434D20B40A8CEDAEC305A1F240C5E81@esebe105.NOE.Nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 02ec665d00de228c50c93ed6b5e4fc1a
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Pasi: The probability that all of the blocks are identical seems very slim to me. Russ At 06:37 AM 4/19/2005, Pasi.Eronen@nokia.com wrote: >draft-hoffman-rfc3664bis-01 says: > > > The key for AES-XCBC-PRF-128 is created as follows: > > > > o If the key is exactly 128 bits long, use it as-is. > > > > o If the key has fewer than 128 bits, pad it on the right with > > zero bits until it is 128 bits long. > > > > o If the key is 129 bits or longer, call the first 128 bits > > TKEY (temporary key) and the remaining bits TDATA (temporary > > data). If TDATA's length is not a multiple of 128, pad TDATA > > on the right with enough 0 bits to make its length an exact > > multiple of 128. Encrypt each 128-bit block of TDATA with TKEY > > using AES-128-EBC as the cipher. When finished, XOR the > > resulting blocks in the same order as they were created. > >This way of using ECB mode fails horribly if, for instance, >the input contains contains 128 bits of entropy, but for some >strange reason consists of three copies of the same 128-bit >block: the output would always be zero. > >What we really need here is a "randomness extractor" that >produces a 128-bit output with sufficient entropy (with some >suitable definitions of "sufficient" and "entropy") when >given _any_ input with sufficient entropy, even if the input >contains some known/guessable bits and/or structure. > >IKEv2 already assumes that AES-XCBC-PRF is a reasonable >randomness extractor (when the key is chosen randomly), so >something like this would IMHO be better: > > o If the key is 129 bits or longer, call the first 128 bits > TKEY (temporary key) and the remaining bits TDATA (temporary > data). Calculate AES-XCBC-PRF-128(TKEY, TDATA) and use > the output as the key. > >But the assumption made here is slightly different from normal >IKEv2 (where the key is Ni/Nr), so probably we should ask some >crypto experts (Hugo, are you listening? :-) about this. > >Also, I'm not sure if doing this step only when the key is >longer than 128 bits causes some problems, or whether it would >be better to do it always (but then it would not be >backwards-compatible with 3664 anymore). > >Best regards, >Pasi > >_______________________________________________ >Ipsec mailing list >Ipsec@ietf.org >https://www1.ietf.org/mailman/listinfo/ipsec _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Comment about 3664bis-01 Pasi.Eronen
- Re: [Ipsec] Comment about 3664bis-01 Russ Housley
- Re: [Ipsec] Comment about 3664bis-01 The Purple Streak, Hilarie Orman
- RE: [Ipsec] Comment about 3664bis-01 Pasi.Eronen
- RE: [Ipsec] Comment about 3664bis-01 Paul Hoffman