| < draft-ietf-ipsec-ciph-des-expiv-00.txt | draft-ietf-ipsec-ciph-des-expiv-01.txt > | |||
|---|---|---|---|---|
| Network Working Group IPsec Working Group | Network Working Group IPsec Working Group | |||
| INTERNET DRAFT C. Madson | INTERNET DRAFT C. Madson | |||
| Expires in six months Cisco Systems, Inc. | Expires in Six Months Cisco Systems, Inc. | |||
| N. Doraswamy | N. Doraswamy | |||
| Bay Networks, Inc. | Bay Networks, Inc. | |||
| July 1997 | November 1997 | |||
| The ESP DES-CBC Cipher Algorithm | The ESP DES-CBC Cipher Algorithm | |||
| With Explicit IV | With Explicit IV | |||
| <draft-ietf-ipsec-ciph-des-expiv-00.txt> | <draft-ietf-ipsec-ciph-des-expiv-01.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is a submission to the IETF Internet Protocol Security | This document is a submission to the IETF Internet Protocol Security | |||
| (IPSEC) Working Group. Comments are solicited and should be addressed | (IPSEC) Working Group. Comments are solicited and should be addressed | |||
| to the working group mailing list (ipsec@tis.com) or to the editor. | to the working group mailing list (ipsec@tis.com) or to the authors. | |||
| This document is an Internet-Draft. Internet Drafts are working | This document is an Internet-Draft. Internet Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its areas, | documents of the Internet Engineering Task Force (IETF), its areas, | |||
| and its working Groups. Note that other groups may also distribute | and its working Groups. Note that other groups may also distribute | |||
| working documents as Internet Drafts. | working documents as Internet Drafts. | |||
| Internet-Drafts draft documents are valid for a maximum of six months | Internet-Drafts draft documents are valid for a maximum of six months | |||
| and may be updated, replaced, or obsolete by other documents at any | and may be updated, replaced, or obsolete by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| skipping to change at page 2, line 5 ¶ | skipping to change at page 2, line 5 ¶ | |||
| Distribution of this memo is unlimited. | Distribution of this memo is unlimited. | |||
| Abstract | Abstract | |||
| This document describes the use of the DES Cipher algorithm in Cipher | This document describes the use of the DES Cipher algorithm in Cipher | |||
| Block Chaining Mode, with an explicit IV, as a confidentiality | Block Chaining Mode, with an explicit IV, as a confidentiality | |||
| mechanism within the context of the IPSec Encapsulating Security | mechanism within the context of the IPSec Encapsulating Security | |||
| Payload (ESP). | Payload (ESP). | |||
| INTERNET DRAFT November 1997 Expires in Six Months | ||||
| 1. Introduction | 1. Introduction | |||
| This document describes the use of the DES Cipher algorithm in Cipher | This document describes the use of the DES Cipher algorithm in Cipher | |||
| Block Chaining Mode as a confidentiality mechanism within the context | Block Chaining Mode as a confidentiality mechanism within the context | |||
| of the Encapsulating Security Payload. | of the Encapsulating Security Payload. | |||
| DES is a symmetric block cipher algorithm. The algorithm is described | DES is a symmetric block cipher algorithm. The algorithm is described | |||
| in [FIPS-46][FIPS-46-1][FIPS-74][FIPS-81]. [Simpson97a] provides a | in [FIPS-46][FIPS-46-1][FIPS-74][FIPS-81]. [Schneier96] provides a | |||
| general description of Cipher Block Chaining Mode, a mode which is | general description of Cipher Block Chaining Mode, a mode which is | |||
| applicable to several encryption algorithms. | applicable to several encryption algorithms. | |||
| As specified in this draft, DES-CBC is not an authentication | As specified in this draft, DES-CBC is not an authentication | |||
| mechanism. [Although DES-MAC, described in [Schneier96] amongst other | mechanism. [Although DES-MAC, described in [Schneier96] amongst other | |||
| places, does provide authentication, DES-MAC is not discussed here.] | places, does provide authentication, DES-MAC is not discussed here.] | |||
| For further information on how the various pieces of ESP fit together | For further information on how the various pieces of ESP fit together | |||
| to provide security services, refer to [ESP] and [Thayer97a]. | to provide security services, refer to [ESP] and [Thayer97]. | |||
| In this document, the keywords "MAY", "MUST", "optional", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "recommended", "required", "SHOULD", and "SHOULD NOT", are to be | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| interpreted as described in [RFC-2119]. | document are to be interpreted as described in [RFC-2119]. | |||
| 2. Algorithm and Mode | 2. Algorithm and Mode | |||
| DES-CBC is a symmetric secret-key block algorithm. It has a block | DES-CBC is a symmetric secret-key block algorithm. It has a block | |||
| size of 64 bits. | size of 64 bits. | |||
| [FIPS-46][FIPS-46-1][FIPS-74] and [FIPS-81] describe the DES | [FIPS-46][FIPS-46-1][FIPS-74] and [FIPS-81] describe the DES | |||
| algorithm, while [Simpson97a] provides a good description of CBC | algorithm, while [Schneier96] provides a good description of CBC | |||
| mode. | mode. | |||
| 2.1 Performance | 2.1 Performance | |||
| Phil Karn has tuned DES-CBC software to achieve 10.45 Mbps with a 90 | Phil Karn has tuned DES-CBC software to achieve 10.45 Mbps with a 90 | |||
| MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium. Other DES | MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium. Other DES | |||
| speed estimates may be found in [Schneier96]. | speed estimates may be found in [Schneier96]. | |||
| 3. ESP Payload | 3. ESP Payload | |||
| skipping to change at page 2, line 58 ¶ | skipping to change at page 3, line 4 ¶ | |||
| Including the IV in each datagram ensures that decryption of each | Including the IV in each datagram ensures that decryption of each | |||
| received datagram can be performed, even when some datagrams are | received datagram can be performed, even when some datagrams are | |||
| dropped, or datagrams are re-ordered in transit. | dropped, or datagrams are re-ordered in transit. | |||
| Implementation note: | Implementation note: | |||
| Common practice is to use random data for the first IV and the | Common practice is to use random data for the first IV and the | |||
| last 8 octets of encrypted data from an encryption process as the | last 8 octets of encrypted data from an encryption process as the | |||
| IV for the next encryption process; this logically extends the CBC | IV for the next encryption process; this logically extends the CBC | |||
| across the packets. It also has the advantage of limiting the | across the packets. It also has the advantage of limiting the | |||
| INTERNET DRAFT November 1997 Expires in Six Months | ||||
| leakage of information from the random number genrator. No matter | leakage of information from the random number genrator. No matter | |||
| which mechnism is used, the receiver MUST NOT assume any meaning | which mechnism is used, the receiver MUST NOT assume any meaning | |||
| for this value, other than that it is an IV. | for this value, other than that it is an IV. | |||
| The payload field, as defined in [ESP], is broken down according to | The payload field, as defined in [ESP], is broken down according to | |||
| the following diagram: | the following diagram: | |||
| +---------------+---------------+---------------+---------------+ | +---------------+---------------+---------------+---------------+ | |||
| | | | | | | |||
| + Initialization Vector (IV) + | + Initialization Vector (IV) + | |||
| skipping to change at page 3, line 26 ¶ | skipping to change at page 3, line 30 ¶ | |||
| ~ Encrypted Payload (variable length) ~ | ~ Encrypted Payload (variable length) ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 | 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 | |||
| 3.1 Block Size and Padding | 3.1 Block Size and Padding | |||
| The DES-CBC algorithm described in this document MUST use a block | The DES-CBC algorithm described in this document MUST use a block | |||
| size of 8 octets (64 bits). | size of 8 octets (64 bits). | |||
| When padding is required, it SHOULD be done according to the | When padding is required, it MUST be done according to the | |||
| conventions specified in [ESP]. | conventions specified in [ESP]. | |||
| 4. Key Material | 4. Key Material | |||
| DES-CBC is a symmetric secret key algorithm. The key size is 64-bits. | DES-CBC is a symmetric secret key algorithm. The key size is 64-bits. | |||
| [It is commonly known as a 56-bit key as the key has 56 significant | [It is commonly known as a 56-bit key as the key has 56 significant | |||
| bits; these 56 bits are stored in an 8-byte (64- bit) value, where | bits; these 56 bits are stored in an 8-byte (64- bit) value, where | |||
| each byte has seven significant bits from the 56-bit value and the | each byte has seven significant bits from the 56-bit value and the | |||
| least significant bit is used as a parity bit.] | least significant bit is used as a parity bit.] | |||
| [some document] describes the general mechanism to derive keying | [ESP] describes the general mechanism to derive keying material for | |||
| material for the ESP transform. The derivation of the key from some | the ESP transform. The derivation of the key from some amount of | |||
| amount of keying material does not differ between the manually- and | keying material does not differ between the manually- and | |||
| automatically-keyed security associations. | automatically-keyed security associations. | |||
| The mechanism MUST derive a 64-bit key value for use by this cipher. | The mechanism MUST derive a 64-bit key value for use by this cipher. | |||
| This derived value MUST be adjusted for parity as necessary. Weak key | This derived value MUST be adjusted for parity as necessary. Weak key | |||
| checks will be performed and << behavior to be defined>> | checks will be performed; if a weak key is dicovered, the key will be | |||
| rejected and IPSEC will request a new SA. | ||||
| 4.1 Weak Keys | 4.1 Weak Keys | |||
| DES has 64 known weak keys, including so-called semi-weak keys and | DES has 64 known weak keys, including so-called semi-weak keys and | |||
| possibly-weak keys (from [Schneier96], shown here in hex with parity | possibly-weak keys (from [Schneier96] -- corrected version provided | |||
| bits): | by William Allan Simpson -- shown here in hex with parity bits): | |||
| 0101 0101 0101 0101 | 0101 0101 0101 0101 | |||
| 1f1f 1f1f 0e0e 0e0e | 1f1f 1f1f 0e0e 0e0e | |||
| e0e0 e0e0 f1f1 f1f1 | e0e0 e0e0 f1f1 f1f1 | |||
| fefe fefe fefe fefe | fefe fefe fefe fefe | |||
| INTERNET DRAFT November 1997 Expires in Six Months | ||||
| semi-weak key pairs: | semi-weak key pairs: | |||
| 01fe 01fe 01fe 01fe fe01 fe01 fe01 fe01 | 01fe 01fe 01fe 01fe fe01 fe01 fe01 fe01 | |||
| 1fe0 1fe0 0ef1 0ef1 e0f1 e0f1 f10e f10e | 1fe0 1fe0 0ef1 0ef1 e0f1 e0f1 f10e f10e | |||
| 01e0 01e0 01f1 01f1 e001 e001 f101 f101 | 01e0 01e0 01f1 01f1 e001 e001 f101 f101 | |||
| 1ffe 1ffe 0efe 0efe fe1f fe1f fe0e fe0e | 1ffe 1ffe 0efe 0efe fe1f fe1f fe0e fe0e | |||
| 011f 011f 010e 010e 1f01 1f01 0e01 0e01 | 011f 011f 010e 010e 1f01 1f01 0e01 0e01 | |||
| e0fe e0fe f1fe f1fe fee0 fee0 fef1 fef1 | e0fe e0fe f1fe f1fe fee0 fee0 fef1 fef1 | |||
| possibly-weak keys: | possibly-weak keys: | |||
| skipping to change at page 4, line 50 ¶ | skipping to change at page 4, line 53 ¶ | |||
| 1fe0 e01f 0ef1 f10e fefe e0e0 fefe f1f1 | 1fe0 e01f 0ef1 f10e fefe e0e0 fefe f1f1 | |||
| 01fe e01f 01fe f10e e0fe fee0 f1fe fef1 | 01fe e01f 01fe f10e e0fe fee0 f1fe fef1 | |||
| 01e0 fe1f 01f1 fe0e fee0 e0fe fef1 f1fe | 01e0 fe1f 01f1 fe0e fee0 e0fe fef1 f1fe | |||
| 1ffe fe1f 0efe fe0e e0e0 fefe f1f1 fefe | 1ffe fe1f 0efe fe0e e0e0 fefe f1f1 fefe | |||
| Implementations SHOULD take care not to select weak keys [CN94], | Implementations SHOULD take care not to select weak keys [CN94], | |||
| although the likelihood of picking one at random is negligible. | although the likelihood of picking one at random is negligible. | |||
| 4.2 Key Lifetime | 4.2 Key Lifetime | |||
| [Simpson97a] discusses collisions, which can provide information that | There are no current recommendations for key lifetime. | |||
| an attacker can use to recover the key. | ||||
| [***need reference info here***] The maximum key lifetime is 2**32 | ||||
| 64-byte blocks. The recommended key lifetime is ***** bytes and ***** | ||||
| seconds. | ||||
| 5. Interaction with Authentication Algorithms | 5. Interaction with Authentication Algorithms | |||
| As of this writing, there are no known issues which preclude the use | As of this writing, there are no known issues which preclude the use | |||
| of the DES-CBC algorithm with any specific authentication algorithm. | of the DES-CBC algorithm with any specific authentication algorithm. | |||
| INTERNET DRAFT November 1997 Expires in Six Months | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| [Much of this section was originally written by William Allen Simpson | [Much of this section was originally written by William Allen Simpson | |||
| and Perry Metzger.] | and Perry Metzger.] | |||
| Users need to understand that the quality of the security provided by | Users need to understand that the quality of the security provided by | |||
| this specification depends completely on the strength of the DES | this specification depends completely on the strength of the DES | |||
| algorithm, the correctness of that algorithm's implementation, the | algorithm, the correctness of that algorithm's implementation, the | |||
| security of the Security Association management mechanism and its | security of the Security Association management mechanism and its | |||
| implementation, the strength of the key [CN94], and upon the correct- | implementation, the strength of the key [CN94], and upon the correct- | |||
| ness of the implementations in all of the participating nodes. | ness of the implementations in all of the participating nodes. | |||
| The security considerations section of [Simpson97a] discusses the cut | [Bell95] and [Bell96] describe a cut and paste splicing attack which | |||
| and paste splicing attack described by [Bell95, Bell96], as it | applies to all Cipher Block Chaining algorithms. This attack can be | |||
| applies to all Cipher Block Chaining algorithms. | addressed with the use of an authentication mechanism. | |||
| The use of the cipher mechanism without any corresponding | The use of the cipher mechanism without any corresponding | |||
| authentication mechanism is strongly discouraged. This cipher can be | authentication mechanism is strongly discouraged. This cipher can be | |||
| used in an ESP transform that also includes authentication; it can | used in an ESP transform that also includes authentication; it can | |||
| also be used in an ESP transform that doesn't include authentication | also be used in an ESP transform that doesn't include authentication | |||
| provided there is an companion AH header. Refer to [ESP], [AH], | provided there is an companion AH header. Refer to [ESP], [AH], | |||
| [arch], and [Thayer97a] for more details. | [arch], and [Thayer97] for more details. | |||
| [***the following paragraph edited slightly***] If self-describing | When the default ESP padding is used, the padding bytes have a | |||
| padding is used, the padding bytes have a predictable value. They | predictable value. They provide a small measure of tamper detection | |||
| provide a small measure of tamper detection on their own block and | on their own block and the previous block in CBC mode. This makes it | |||
| the previous block in CBC mode. This makes it somewhat harder to | somewhat harder to perform splicing attacks, and avoids a possible | |||
| perform splicing attacks, and avoids a possible covert channel. This | covert channel. This small amount of known plaintext does not create | |||
| small amount of known plaintext does not create any problems for | any problems for modern ciphers. | |||
| modern ciphers. [*** ISSUE: can't assume that SDP is in use, so the | ||||
| bytes won't be predictable***] | ||||
| [***the following paragraph edited slightly***] At the time of | At the time of writing of this document, [BS93] demonstrated a dif- | |||
| writing of this document, [BS93] demonstrated a dif- ferential | ferential cryptanalysis based chosen-plaintext attack requiring 2^47 | |||
| cryptanalysis based chosen-plaintext attack requiring 2^47 | ||||
| plaintext-ciphertext pairs, where the size of a pair is the size of a | plaintext-ciphertext pairs, where the size of a pair is the size of a | |||
| DES block (64 bits). [Matsui94] demonstrated a linear cryptanalysis | DES block (64 bits). [Matsui94] demonstrated a linear cryptanalysis | |||
| based known-plaintext attack requiring only 2^43 plain- text- | based known-plaintext attack requiring only 2^43 plain- text- | |||
| ciphertext pairs. Although these attacks are not considered | ciphertext pairs. Although these attacks are not considered | |||
| practical, they must be taken into account. | practical, they must be taken into account. | |||
| More disturbingly, [Weiner94] has shown the design of a DES cracking | More disturbingly, [Weiner94] has shown the design of a DES cracking | |||
| machine costing $1 Million that can crack one key every 3.5 hours. | machine costing $1 Million that can crack one key every 3.5 hours. | |||
| This is an extremely practical attack. | This is an extremely practical attack. | |||
| skipping to change at page 6, line 13 ¶ | skipping to change at page 6, line 5 ¶ | |||
| this attack. | this attack. | |||
| It is suggested that DES is not a good encryption algorithm for the | It is suggested that DES is not a good encryption algorithm for the | |||
| protection of even moderate value information in the face of such | protection of even moderate value information in the face of such | |||
| equipment. Triple DES is probably a better choice for such purposes. | equipment. Triple DES is probably a better choice for such purposes. | |||
| However, despite these potential risks, the level of privacy provided | However, despite these potential risks, the level of privacy provided | |||
| by use of ESP DES-CBC in the Internet environment is far greater than | by use of ESP DES-CBC in the Internet environment is far greater than | |||
| sending the datagram as cleartext. | sending the datagram as cleartext. | |||
| INTERNET DRAFT November 1997 Expires in Six Months | ||||
| 7. References | 7. References | |||
| [Bell95] Bellovin, S., "An Issue With DES-CBC When Used Without | [Bell95] Bellovin, S., "An Issue With DES-CBC When Used Without | |||
| Strong Integrity", Presentation at the 32nd Internet Engineering | Strong Integrity", Presentation at the 32nd Internet Engineering | |||
| Task Force, Danvers Massachusetts, April 1995. | Task Force, Danvers Massachusetts, April 1995. | |||
| [Bell96] Bellovin, S., "Problem Areas for the IP Security Protocols", | [Bell96] Bellovin, S., "Problem Areas for the IP Security Protocols", | |||
| Proceedings of the Sixth Usenix Security Symposium, July 1996. | Proceedings of the Sixth Usenix Security Symposium, July 1996. | |||
| [BS93] Biham, E., and Shamir, A., "Differential Cryptanalysis of | [BS93] Biham, E., and Shamir, A., "Differential Cryptanalysis of | |||
| skipping to change at page 7, line 6 ¶ | skipping to change at page 6, line 54 ¶ | |||
| Requirement Levels", RFC-2119/BCP 14, March, 1997. | Requirement Levels", RFC-2119/BCP 14, March, 1997. | |||
| [Schneier96] Schneier, B., "Applied Cryptography Second Edition", | [Schneier96] Schneier, B., "Applied Cryptography Second Edition", | |||
| John Wiley & Sons, New York, NY, 1996. ISBN 0-471-12845-7. | John Wiley & Sons, New York, NY, 1996. ISBN 0-471-12845-7. | |||
| [Weiner94] Wiener, M.J., "Efficient DES Key Search", School of | [Weiner94] Wiener, M.J., "Efficient DES Key Search", School of | |||
| Computer Science, Carleton University, Ottawa, Canada, TR-244, May | Computer Science, Carleton University, Ottawa, Canada, TR-244, May | |||
| 1994. Presented at the Rump Session of Crypto '93. | 1994. Presented at the Rump Session of Crypto '93. | |||
| [ESP] Kent, S., Atkinson, R., "IP Encapsulating Security Payload | [ESP] Kent, S., Atkinson, R., "IP Encapsulating Security Payload | |||
| (ESP)", draft-ietf-ipsec-esp-04.txt, work in progress, May 30, 1997. | (ESP)", draft-ietf-ipsec-esp-v2-02.txt, work in progress, November | |||
| 1997. | ||||
| [AH] Kent, S., Atkinson, R., "IP Authentication Header (AH)", | [AH] Kent, S., Atkinson, R., "IP Authentication Header (AH)", | |||
| draft-ietf-ipsec-auth-05.txt, work in progress, May 30, 1997. | draft-ietf-ipsec-auth-header-03.txt, work in progress, November | |||
| 1997. | ||||
| [arch] the security architecture doc | INTERNET DRAFT November 1997 Expires in Six Months | |||
| [Simpson97a] Bill's CBC doc | [arch] Kent, S., Atkinson, R., "Security Architecture for the | |||
| Internet Protocol", draft-ietf-ipsec-arch-sec-02.txt, work in | ||||
| progress, November 1997. | ||||
| [Thayer97a] the framework draft | [Thayer97] Thayer, R., Doraswamy, N., Glenn, R., "IP Security | |||
| Document Roadmap", draft-ietf-ipsec-doc-roadmap-02.txt, work in | ||||
| progress, November, 1997. | ||||
| 8. Acknowledgments | 8. Acknowledgments | |||
| Much of the information provided here originated with various ESP-DES | Much of the information provided here originated with various ESP-DES | |||
| documents authored by Perry Metzger and William Allen Simpson, | documents authored by Perry Metzger and William Allen Simpson, | |||
| including the data entry of the known weak key values, and especially | including the data entry of the known weak key values, and especially | |||
| the Security Considerations section. | the Security Considerations section. | |||
| This document is also derived in part from previous works by Jim | This document is also derived in part from previous works by Jim | |||
| Hughes, those people that worked with Jim on the combined DES- | Hughes, those people that worked with Jim on the combined DES- | |||
| End of changes. 28 change blocks. | ||||
| 43 lines changed or deleted | 55 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||