IETF Logo Mail Archive

Re: [Ipsec] Comment about 3664bis-01

Russ Housley <housley@vigilsec.com> Tue, 19 April 2005 20:50 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DNzfV-0006VR-30; Tue, 19 Apr 2005 16:50:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DNzfQ-0006SY-Ce for ipsec@megatron.ietf.org; Tue, 19 Apr 2005 16:49:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25598 for <ipsec@ietf.org>; Tue, 19 Apr 2005 16:49:53 -0400 (EDT)
Received: from woodstock.binhost.com ([144.202.243.4]) by ietf-mx.ietf.org with smtp (Exim 4.33) id 1DNzqV-0007im-J5 for ipsec@ietf.org; Tue, 19 Apr 2005 17:01:24 -0400
Received: (qmail 28102 invoked by uid 0); 19 Apr 2005 20:49:46 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.135.227) by woodstock.binhost.com with SMTP; 19 Apr 2005 20:49:46 -0000
Message-Id: <6.2.0.14.2.20050419164905.05f99640@mail.binhost.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Tue, 19 Apr 2005 16:49:47 -0400
To: Pasi.Eronen@nokia.com, ipsec@ietf.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [Ipsec] Comment about 3664bis-01
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F240C5E81@esebe105.NOE.Nokia. com>
References: <B356D8F434D20B40A8CEDAEC305A1F240C5E81@esebe105.NOE.Nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 02ec665d00de228c50c93ed6b5e4fc1a
Cc:
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

Pasi:

The probability that all of the blocks are identical seems very slim to me.

Russ

At 06:37 AM 4/19/2005, Pasi.Eronen@nokia.com wrote:
>draft-hoffman-rfc3664bis-01 says:
>
> > The key for AES-XCBC-PRF-128 is created as follows:
> >
> > o  If the key is exactly 128 bits long, use it as-is.
> >
> > o  If the key has fewer than 128 bits, pad it on the right with
> >    zero bits until it is 128 bits long.
> >
> > o  If the key is 129 bits or longer, call the first 128 bits
> >    TKEY (temporary key) and the remaining bits TDATA (temporary
> >    data).  If TDATA's length is not a multiple of 128, pad TDATA
> >    on the right with enough 0 bits to make its length an exact
> >    multiple of 128. Encrypt each 128-bit block of TDATA with TKEY
> >    using AES-128-EBC as the cipher.  When finished, XOR the
> >    resulting blocks in the same order as they were created.
>
>This way of using ECB mode fails horribly if, for instance,
>the input contains contains 128 bits of entropy, but for some
>strange reason consists of three copies of the same 128-bit
>block: the output would always be zero.
>
>What we really need here is a "randomness extractor" that
>produces a 128-bit output with sufficient entropy (with some
>suitable definitions of "sufficient" and "entropy") when
>given _any_ input with sufficient entropy, even if the input
>contains some known/guessable bits and/or structure.
>
>IKEv2 already assumes that AES-XCBC-PRF is a reasonable
>randomness extractor (when the key is chosen randomly), so
>something like this would IMHO be better:
>
>    o If the key is 129 bits or longer, call the first 128 bits
>      TKEY (temporary key) and the remaining bits TDATA (temporary
>      data). Calculate AES-XCBC-PRF-128(TKEY, TDATA) and use
>      the output as the key.
>
>But the assumption made here is slightly different from normal
>IKEv2 (where the key is Ni/Nr), so probably we should ask some
>crypto experts (Hugo, are you listening? :-) about this.
>
>Also, I'm not sure if doing this step only when the key is
>longer than 128 bits causes some problems, or whether it would
>be better to do it always (but then it would not be
>backwards-compatible with 3664 anymore).
>
>Best regards,
>Pasi
>
>_______________________________________________
>Ipsec mailing list
>Ipsec@ietf.org
>https://www1.ietf.org/mailman/listinfo/ipsec


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email