Re: replay field size
Steven Bellovin <smb@research.att.com> Thu, 13 February 1997 16:35 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA06180 for ipsec-outgoing; Thu, 13 Feb 1997 11:35:00 -0500 (EST)
Message-Id: <199702131637.LAA02391@raptor.research.att.com>
To: Ran Atkinson <rja@inet.org>
cc: Robert Glenn <glenn@snad.ncsl.nist.gov>, Stephen Kent <kent@bbn.com>, ipsec@tis.com
Subject: Re: replay field size
Date: Thu, 13 Feb 1997 11:37:39 -0500
From: Steven Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> As you note, one can rekey more frequently than when the counter runs > out. However, the counter size does present an upper bound to the rekey > interval. In this way, they are related. This relationship does need > to be carefully considered by the working group, IMHO. > > For example, I am aware of commercial encrypting router products > (not cisco) that can handle a full IP stream at OC-3c rates (155 Mbps). > Based on the relatively small size of a large percentage of IP datagrams > (as measured on a well-known OC-3 trans-Atlantic IP link), this is not > a particularly long time interval between rekeys forced by a 32-bit > replay counter. If all packets were 40 bytes, 155Mbps is about 500K packets/second. At 2^32 packets before rekey, the interval is over 2 hours if the link were running flat-out. That's not onerous. Even at 1Gbps -- the fastest I've heard anyone discuss -- it's still 20 minutes. A router that can switch packets at that rate will likely have a moderately serious CPU for doing new key exchanges. But not all packets are that small; in fact, the mean packet size is about 250 bytes (see http://www.nlanr.net/NA/Learn/packetsizes.html) -- while tinygrams are a large percentage of the packet count, they don't account for very much of the volume by byte; what fills up OC-3 lines is the bulk tranfers. At that rate, the rekey interval is over 15 hours at OC-3 speeds. But it's worse than that. At 250 bytes/packet, there are about 2^5 DES blocks/packet, which means there are 2^37 blocks per ``full'' 32-bit security association. That's getting unpleasantly close to the point where linear cryptanalysis is feasbible. (Matsui's CRYPTO '94 paper says that with 2^38 known plaintexts, the success rate is 10% with complexity 2^50. The new ``Handbook of Applied Cryptography'' notes that ``linear cryptanalysis is possible in a ciphertext-only environment if some underlying plaintext redundancy is known (e.g., parity bits or high-order 0-bits in ASCII characters.)) I submit that we really don't want to encrypt that much plaintext with any single key -- ever. And of course, we don't know that linear cryptanalysis is the ultimate attack. Furthermore, the 2^32 packet limit is the limit for a single association. To my mind, that makes it highly improbable that it's a real limit in any event -- and if we get near it, we should rekey. > By contrast, a 64-bit replay counter would not increase the size > of the overall packet because it would just eliminate 32-bits of > padding (that would be needed otherwise for IPv6 compliance). However, > a 64-bit replay counter would very significantly increase the upper > bound and make premature forced rekeying a non-issue for the overwhelming > majority of cases. It would also mandate an 64-bit subtraction that's unpleasant on most of today's hosts. > This argues that a 64-bit replay counter would best further the WG's > goal of maintaining a set of specifications that work equally well with > any cryptographic algorithm. > > Ran > rja@inet.org
- RE: replay field size Roy Shamir
- RE: replay field size Michael J. Oehler
- Re: replay field size Niels Ferguson
- replay field size Derrell Piper
- Re: replay field size Matt Thomas
- RE: replay field size Roy Pereira
- RE: replay field size Ran Atkinson
- RE: replay field size Roy Pereira
- Re: replay field size Tim Bass (IETF)
- RE: replay field size Rob Adams
- Re: replay field size Dan McDonald
- RE: replay field size Ran Atkinson
- Re: replay field size Robert Glenn
- RE: replay field size Roy Pereira
- RE: replay field size Dan McDonald
- Re: replay field size Germano Caronni
- Re: replay field size John Keating
- Re: replay field size Derrell Piper
- Re: replay field size Ran Atkinson
- Re: replay field size wei
- RE: replay field size Stephen Kent
- Re: replay field size Matt Thomas
- RE: replay field size Phil Karn
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Perry E. Metzger
- Re: replay field size Niels Ferguson
- Re: replay field size Bill Sommerfeld
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Uri Blumenthal
- RE: replay field size Bob Monsour
- RE: replay field size Stephen Kent
- RE: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Ran Atkinson
- Re: replay field size Steven Bellovin
- Re: replay field size Ran Atkinson
- Re: replay field size Jim Thompson
- Re: replay field size Bart Preneel