Re: [IPsec] Updating IPsec algorithm requirements

To: mcgrew at cisco.com
Subject: Re: [IPsec] Updating IPsec algorithm requirements
From: Paul Koning <Paul_Koning at dell.com>
Date: Fri, 6 Nov 2009 14:07:18 -0500
Cc: ipsec at ietf.org
Delivered-to: ipsec at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <3A070C8D-782B-4CC2-B48E-0DA63EC5A4ED at cisco.com>

Excerpt of message (sent 6 November 2009) by David McGrew:
> Hi Paul, Yaron, and IPsec ME WG participants,
> 
> I would like to propose an update to the algorithm requirements, as  
> outlined below.
> ...
> Currently, AES in Counter Mode (AES-CTR)[RFC3686] is recommended as a
> SHOULD in "Cryptographic Algorithm Implementation Requirements for
> Encapsulating Security Payload (ESP) and Authentication Header (AH)",
> RFC 4835.  AES-CTR is a useful algorithm because it admits efficient
> high speed implementations.  However, it provides no authentication.

... and therefore no confidentiality either, if used by itself, via
the Bellovin attack.

>  From RFC3686: "With AES-CTR, it is trivial to use a valid ciphertext
> to forge other (valid to the decryptor) ciphertexts. Thus, it is
> equally catastrophic to use AES-CTR without a companion authentication
> function. Implementations MUST use AES-CTR in conjunction with an
> authentication function, such as HMAC-SHA-1-96 [HMAC-SHA]."
> Unfortunately, none of the authentication algorithms currently defined
> for IPsec (HMAC, XCBC-MAC) admit efficient high speed
> implementations.  Thus the need for authentication undermines the
> efficiency of AES-CTR.
> 
> AES-GCM was designed specifically to overcome this problem.  ...
> 
> It is especially important that AES-GCM be recommended over the use of
> AES-CTR with HMAC-SHA-256, ...

I agree.  For the reasons you gave, and also to remove the temptation
to run AES-CTR without authentication for performance reasons, even
though the standard says not to do this.

       paul

Follow-Ups:
- Re: [IPsec] Updating IPsec algorithm requirements
  - From: Paul Hoffman

References:
- [IPsec] Updating IPsec algorithm requirements
  - From: David McGrew

Prev by Date: Re: [IPsec] RFC 5685 on Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)
Next by Date: Re: [IPsec] Updating IPsec algorithm requirements
Previous by thread: [IPsec] Updating IPsec algorithm requirements
Next by thread: Re: [IPsec] Updating IPsec algorithm requirements
Index(es):
- Date
- Thread

Re: [IPsec] Updating IPsec algorithm requirements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.