[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: why is SA lifetime kilobyte limit disabled in racoon?
On May 23, 2011, at 7:06 47AM, Matthias Drochner wrote:
> smb%cs.columbia.edu@localhost said:
>> While I don't know the precise reason, I will note that byte count
>> expiration is much less of an issue with AES than with DES or 3DES.
>> The problem with DES and 3DES is that they use 64-bit blocks, which
>> means that you start running into birthday paradox problems after 2^32
>> blocks, i.e., 2^35 bytes. On modern, high-speed nets, that isn't at
>> all out of the question. AES, by contrast, uses 128-bit blocks, which
>> raises the threshold to 2^68 bytes, which is about 7000 years at
>> 10GigE speeds...
> It seems to me that there is also a need for an expiration by
> packet count, if IV uniqueness is important.
> AES-CTR eg has an IV space of 64 bits. With randomly generated
> IVs (as the KAME and FAST_IPSEC code does on all BSDs AFAICS)
> the same birthday paradox argument holds -- after 2^32 packets
> even if the blocksize is 128 bits.
> Or - being clueless about cryptography - am I missing something?
> Since a packet count limit is not negotiated through IKE AFAIK,
> this is a local decision, and one can't assume that both ends
> of the line use the same limit.
> This also would require that both sides are able to initiate
> rekeying at any time.
> (And/or another IV generation method could be used here, 64-bit LFSR
> or so. I'll leave that to the experts.)
Precisely. Section 3.1 of 3686 says
3.1. Initialization Vector
The AES-CTR IV field MUST be eight octets. The IV MUST be chosen by
the encryptor in a manner that ensures that the same IV value is used
only once for a given key. The encryptor can generate the IV in any
manner that ensures uniqueness. Common approaches to IV generation
include incrementing a counter for each packet and linear feedback
shift registers (LFSRs).
In other words, a simple counter suffices. Appendix B of the NIST standard
(Special Publication 800-38A) says the same thing. There is thus no
danger of a birthday attack, so one gets the full 64-bit space.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
Main Index |
Thread Index |