tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: why is SA lifetime kilobyte limit disabled in racoon?

On May 23, 2011, at 7:06 47AM, Matthias Drochner wrote:

> said:
>> While I don't know the precise reason, I will note that byte count
>> expiration is much less of an issue with AES than with DES or 3DES.
>> The problem with DES and 3DES is that they use 64-bit blocks, which
>> means that you start running into birthday paradox problems after 2^32
>> blocks, i.e., 2^35 bytes.  On modern, high-speed nets, that isn't at
>> all out of the question.  AES, by contrast, uses 128-bit blocks, which
>> raises the threshold to 2^68 bytes, which is about 7000 years at
>> 10GigE speeds...
> It seems to me that there is also a need for an expiration by
> packet count, if IV uniqueness is important.
> AES-CTR eg has an IV space of 64 bits. With randomly generated
> IVs (as the KAME and FAST_IPSEC code does on all BSDs AFAICS)
> the same birthday paradox argument holds -- after 2^32 packets
> even if the blocksize is 128 bits.
> Or - being clueless about cryptography - am I missing something?
> Since a packet count limit is not negotiated through IKE AFAIK,
> this is a local decision, and one can't assume that both ends
> of the line use the same limit.
> This also would require that both sides are able to initiate
> rekeying at any time.
> (And/or another IV generation method could be used here, 64-bit LFSR
> or so. I'll leave that to the experts.)

Precisely.  Section 3.1 of 3686 says

3.1.  Initialization Vector

   The AES-CTR IV field MUST be eight octets.  The IV MUST be chosen by
   the encryptor in a manner that ensures that the same IV value is used
   only once for a given key.  The encryptor can generate the IV in any
   manner that ensures uniqueness.  Common approaches to IV generation
   include incrementing a counter for each packet and linear feedback
   shift registers (LFSRs).

In other words, a simple counter suffices.  Appendix B of the NIST standard
(Special Publication 800-38A) says the same thing.  There is thus no
danger of a birthday attack, so one gets the full 64-bit space.

                --Steve Bellovin,

Home | Main Index | Thread Index | Old Index