DES-CBC "interface" shim
William Allen Simpson <wsimpson@greendragon.com> Sat, 24 May 1997 18:14 UTC
Received: from cnri by ietf.org id aa10117; 24 May 97 14:14 EDT
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa07480; 24 May 97 14:14 EDT
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA02700 for ipsec-outgoing; Sat, 24 May 1997 14:01:12 -0400 (EDT)
Date: Sat, 24 May 1997 17:56:26 +0000
From: William Allen Simpson <wsimpson@greendragon.com>
Message-ID: <5957.wsimpson@greendragon.com>
To: ipsec@tis.com
Subject: DES-CBC "interface" shim
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
Since Bellovin, Kent and Monsour have all requested a revision, for comparison purposes I have generated a shorter version without the protocol and implementation information. I ask other folks to please indicate your preferences. Network Working Group P Metzger Internet Draft [Piermont] W A Simpson [DayDreamer] expires in six months May 1997 The ESP DES-CBC Transform Interface draft-simpson-esp-des1-shim-00.txt (C) Status of this Memo This document is an Internet-Draft. Internet Drafts are working doc- uments of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute work- ing documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months, and may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as refer- ence material, or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the internet-drafts Shadow Directories on: ftp.is.co.za (Africa) nic.nordu.net (Europe) ds.internic.net (US East Coast) ftp.isi.edu (US West Coast) munnari.oz.au (Pacific Rim) Distribution of this memo is unlimited. Abstract This document describes the DES-CBC block cipher interface elements used with the IP Encapsulating Security Payload (ESP). Metzger & Simpson expires in six months [Page i] DRAFT ESP DES-CBC May 1997 1. Introduction The Encapsulating Security Payload (ESP) [RFC-1827] provides confi- dentiality for IP datagrams by encrypting the payload data to be pro- tected. This specification describes the ESP use of the Cipher Block Chaining (CBC) mode of the US Data Encryption Standard (DES) algo- rithm [FIPS-46, FIPS-46-1, FIPS-74, FIPS-81]. All implementations that claim conformance or compliance with the Encapsulating Security Payload specification MUST implement this DES- CBC transform. This document assumes that the reader is familiar with the related document "Security Architecture for the Internet Protocol" [RFC-1825], that defines the overall security plan for IP, and pro- vides important background for this specification. In this document, the key words "MUST", "optional", "recommended", "required", and "SHOULD", are to be interpreted as described in [RFC-2119]. 2. Algorithm and Mode P1 P2 Pi | | | IV->->(X) +>->->->(X) +>->->->(X) v ^ v ^ v +-----+ | +-----+ | +-----+ k->| Ek | ^ k->| Ek | ^ k->| Ek | +-----+ | +-----+ | +-----+ | ^ | ^ | +>->->+ +>->->+ +>->-> | | | C1 C2 Ci In DES-CBC, an Initialization Vector (IV) is XOR'd with the first 64-bit (8 octet) plaintext block (P1). The keyed DES encryption function (Ek) generates the ciphertext (C1) for the block. For successive blocks, the previous ciphertext block is XOR'd with the current plaintext (Pi). The keyed DES encryption function (Ek) generates the ciphertext (Ci) for that block. The Cipher Block Chaining (CBC) method provides for re- synchronization when datagrams are lost. For more explanation and implementation information for DES, see [Schneier95]. Metzger & Simpson expires in six months [Page 1] DRAFT ESP DES-CBC May 1997 3. Keys The secret DES key shared between the communicating parties is 56-bits in length. The 56-bit key is stored as a 64-bit (8 octet) quantity, with the least significant bit of each octet used as a par- ity bit. 3.1. Weak Keys DES has 64 known weak keys, including so-called semi-weak keys and possibly weak keys [Schneier95, pp 280-282]. Implementations SHOULD take care not to select weak keys [CN94], although the odds of pick- ing one at random are low. When manually configured, these 64 keys SHOULD be be rejected. When dynamically configured via a key management protocol, any of these 64 keys MUST be rejected, and a replacement key requested. 3.2. Key Management When manually configured, 64-bits (8 octets) are configured. Keys with incorrect parity SHOULD be be rejected. When dynamically configured via a key management protocol, 64-bits (8 octets) are returned for each key. The least significant bit of each key octet is ignored (or set to parity when the implementation requires). 4. Initialization Vector This mode of DES requires an Initialization Vector (IV) that is 64-bits (8 octets) in length. Each datagram contains its own IV. This IV is intended to be unique for the lifetime of the secret DES session-key. When manually configured, the 64-bit IV is generated from the 32-bit Sequence Number field followed by (concatenated with) the bit-wise complement of the same 32-bit value. When dynamically configured via a key management protocol, the 64-bit IV is generated from the 32-bit SPI field followed by (concatenated with) the 32-bit Sequence Number field. The bit-wise complement of the 32-bit Sequence Number value is XOR'd with the first 32-bits Metzger & Simpson expires in six months [Page 2] DRAFT ESP DES-CBC May 1997 (SPI). Security Notes: Including the IV in each datagram ensures that decryption of each received datagram can be performed, even when some datagrams are dropped, or datagrams are re-ordered in transit. The manually configured variant is required for backward compati- bility. It is appropriate when the associated SPI is unchanging. However, in a dynamic environment, the same data stream might be sent with more than one SPI. Including the changed SPI in the IV generation prevents analysis based on common leading blocks. Using the Sequence Number provides an easy method for preventing IV repetition, and is sufficiently robust for practical use with the DES algorithm. But, when used alone, cryptanalysis might be aided by the rare serendipitous occurrence where a corresponding bit position in the first DES block increments in exactly the same fashion as the Sequence Number. No commonly used IP Protocol/Payloads exhibit this property. Never-the-less, inclusion of the bit-wise complement ensures that Sequence Number bit changes are reflected twice in the IV. 5. Block Size The DES algorithm operates on blocks of 64-bits (8 octets). This often requires padding after the end of the unencrypted Payload Data. Both input and output result in the same number of octets. This facilitates in-place encryption and decryption. 6. ESP Padding The Padding field may be zero or more octets in length. Prior to encryption, this field is filled with a series of integer values (beginning with zero), to align the Pad Length and Payload Type fields at the end of an eight octet boundary (counted from the beginning of the Payload Data). After decryption, it may be examined for a valid series of integer values. Metzger & Simpson expires in six months [Page 3] DRAFT ESP DES-CBC May 1997 7. ESP Authenticator This optional variable-length field contains an Integrity Check Value (ICV) computed over the ESP data after encryption, beginning with the SPI and ending with the Payload Type. The length of the field depends upon the authentication function selected. DES-CBC does not provide integrity. When the ESP data is not other- wise verified (externally using AH or internally by the payload itself), it is recommended (but not required) that an ICV be provided here. The details of such functions are outside the scope of this document. 8. Performance Phil Karn has tuned DES software to achieve 10.45 Mbps with a 90 MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium. Other DES speed estimates may be found at [Schneier95, page 279]. Operational Considerations When used with manual keying, the specification provides only a few configurable parameters. SPI Configured SPIs are in the range 1 to 255. SPI LifeTime (SPILT) Manually configured LifeTimes are generally measured in days, while dynamic LifeTimes are specified in seconds. Default: 2,764,800 seconds (32 days). Maximum: implementation dependent. Pad Check Some earlier implementations used random pad values. Default: Off. Key The 56-bit key is configured as a 64-bit quantity, with appropri- ate parity included. Metzger & Simpson expires in six months [Page 4] DRAFT ESP DES-CBC May 1997 Each party configures a list of known SPIs and symmetric secret-keys. In addition, each party configures local policy that determines what access (if any) is granted to the holder of a particular SPI. For example, a party might allow FTP, but prohibit Telnet. Such consid- erations are outside the scope of this document. Security Considerations Users need to understand that the quality of the security provided by this specification depends completely on the strength of the DES algorithm, the correctness of that algorithm's implementation, the security of the key management mechanism and its implementation, the strength of the key [CN94], and upon the correctness of the implemen- tations in all of the participating nodes. The cut and paste splicing attack described by [Bell95, Bell96] exploits the nature of all Cipher Block Chaining algorithms. When a block is damaged in transmission, on decryption both it and the fol- lowing block will be garbled by the decryption process, but all sub- sequent blocks will be decrypted correctly. If an attacker has legitimate access to the same key, this feature can be used to insert or replay previously encrypted data of other users of the same engine, revealing the plaintext. The usual (ICMP, TCP, UDP) trans- port checksum can detect this attack, but on its own is not consid- ered cryptographically strong. In this situation, user or connection oriented integrity checking is needed [RFC-1826]. The padding bytes have a predictable value. They provide a small measure of tamper detection on their own block and the previous block in CBC mode. This makes it somewhat harder to perform splicing attacks, and avoids a possible covert channel. This small amount of known plaintext does not create any problems for modern ciphers. At the time of writing of this document, [BS93] demonstrated a dif- ferential cryptanalysis based chosen-plaintext attack requiring 2^47 plaintext-ciphertext pairs, and [Matsui94] demonstrated a linear cryptanalysis based known-plaintext attack requiring only 2^43 plain- text-ciphertext pairs. Although these attacks are not considered practical, they must be taken into account. More disturbingly, [Weiner94] has shown the design of a DES cracking machine costing $1 Million that can crack one key every 3.5 hours. This is an extremely practical attack. One or two blocks of known plaintext suffice to recover a DES key. Because IP datagrams typically begin with a block of known and/or Metzger & Simpson expires in six months [Page 5] DRAFT ESP DES-CBC May 1997 guessable header text, frequent key changes will not protect against this attack. It is suggested that DES is not a good encryption algorithm for the protection of even moderate value information in the face of such equipment. Triple DES is probably a better choice for such purposes. However, despite these potential risks, the level of privacy provided by use of ESP DES-CBC in the Internet environment is far greater than sending the datagram as cleartext. Change History Changes from RFC-1829: Additional explanation of IV calculation. Inclusion of SPI in IV calculation improves IV uniqueness over multiple sessions. Updated performance estimates. IV field renamed to Sequence. Only one size is supported. Padding is a known series of integers, and is checked upon receipt. Added authentication section. Removed protocol implementation specification. Added operational parameters section. Updated references. Updated contacts. Minor editorial changes. Metzger & Simpson expires in six months [Page 6] DRAFT ESP DES-CBC May 1997 Acknowledgements The basic field naming and layout is based on "swIPe" [IBK93, IB93]. Participants in the IP Security Working Group modified this to a variable number of variable length fields. After a digression span- ning 4 years, actual implementors mandated a return to these fewer well-known fields. Some of the text of this specification was derived from work by Ran- dall Atkinson for the SIP, SIPP, and IPv6 Working Groups. Phil Karn provided the original Encryption and Decryption text, and was the motivator and founding member of the IP Security Working Group. Perry Metzger provided the original Security Considerations text, some of which is distributed throughout the document. William Allen Simpson was responsible for the name and semantics of the SPI, the IV calculation technique(s), editing and formatting. The use of known padding values was suggested in various forms by Robert Baldwin, Phil Karn, and David Wagner. This specification uses Self-Describing-Padding [RFC-1570]. Steve Bellovin, Steve Deering, Karl Fox, Charles Lynn, Craig Metz, Dave Mihelcic and Jeffrey Schiller provided useful critiques of ear- lier versions of this draft. References [Bell95] Bellovin, S., "An Issue With DES-CBC When Used Without Strong Integrity", Presentation at the 32nd Internet Engi- neering Task Force, Danvers Massachusetts, April 1995. [Bell96] Bellovin, S., "Problem Areas for the IP Security Protocols", Proceedings of the Sixth Usenix Security Symposium, July 1996. [BS93] Biham, E., and Shamir, A., "Differential Cryptanalysis of the Data Encryption Standard", Berlin: Springer-Verlag, 1993. [CN94] Carroll, J.M., and Nudiati, S., "On Weak Keys and Weak Data: Foiling the Two Nemeses", Cryptologia, Vol. 18 No. 23 pp. 253-280, July 1994. Metzger & Simpson expires in six months [Page 7] DRAFT ESP DES-CBC May 1997 [FIPS-46] US National Bureau of Standards, "Data Encryption Standard", Federal Information Processing Standard (FIPS) Publication 46, January 1977. [FIPS-46-1] US National Bureau of Standards, "Data Encryption Standard", Federal Information Processing Standard (FIPS) Publication 46-1, January 1988. [FIPS-74] US National Bureau of Standards, "Guidelines for Implement- ing and Using the Data Encryption Standard", Federal Infor- mation Processing Standard (FIPS) Publication 74, April 1981. [FIPS-81] US National Bureau of Standards, "DES Modes of Operation" Federal Information Processing Standard (FIPS) Publication 81, December 1980. [IB93] Ioannidis, J., and Blaze, M., "The Architecture and Imple- mentation of Network-Layer Security Under Unix", Proceedings of the Fourth Usenix Security Symposium, Santa Clara Cali- fornia, October 1993. [IBK93] Ioannidis, J., Blaze, M., and Karn, P., "swIPe: Network- Layer Security for IP", Presentation at the 26th Internet Engineering Task Force, Columbus Ohio, March 1993. [Matsui94] Matsui, M., "Linear Cryptanalysis method dor DES Cipher," Advances in Cryptology -- Eurocrypt '93 Proceedings, Berlin: Springer-Verlag, 1994. [RFC-1570] Simpson, W., "PPP LCP Extensions", DayDreamer, January 1994. [RFC-1700] Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, RFC 1700, USC/Information Sciences Institute, October 1994. [RFC-1825] Atkinson, R., "Security Architecture for the Internet Proto- col", RFC-1825, Naval Research Laboratory, July 1995. [RFC-1826] Atkinson, R., "IP Authentication Header", RFC-1826, Naval Metzger & Simpson expires in six months [Page 8] DRAFT ESP DES-CBC May 1997 Research Laboratory, July 1995. [RFC-1827] Atkinson, R., "IP Encapsulating Security Protocol (ESP)", RFC-1827, Naval Research Laboratory, July 1995. [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate Require- ment Levels", BCP 14, Harvard University, March 1997. [RFC-xxxx] Karn, P., and Simpson, W., "ICMP Security Failures Mes- sages", draft-simpson-icmp-ipsec-fail-02.txt, work in progress. [RFC-yyyy] Simpson, W., and Wagner, D., "Internet Security Transform Enhancements", draft-simpson-ipsec-enhancement-01.txt, work in progress. [Schneier95] Schneier, B., "Applied Cryptography Second Edition", John Wiley & Sons, New York, NY, 1995. ISBN 0-471-12845-7. [Weiner94] Wiener, M.J., "Efficient DES Key Search", School of Computer Science, Carleton University, Ottawa, Canada, TR-244, May 1994. Presented at the Rump Session of Crypto '93. Metzger & Simpson expires in six months [Page 9] DRAFT ESP DES-CBC May 1997 Contacts Comments about this document should be discussed on the ipsec@tis.com mailing list. Questions about this document can also be directed to: Perry Metzger Piermont Information Systems Inc. 160 Cabrini Blvd., Suite #2 New York, NY 10033 perry@piermont.com William Allen Simpson DayDreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071 wsimpson@UMich.edu wsimpson@GreenDragon.com (preferred) bsimpson@MorningStar.com Metzger & Simpson expires in six months [Page 10]
- DES-CBC "interface" shim William Allen Simpson
- Re: DES-CBC "interface" shim William Allen Simpson
- Re: DES-CBC "interface" shim Stephen Kent