rfc2405.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 564 行 · 第 1/2 页
TXT
564 行
RFC 2405 The ESP DES-CBC Cipher Algorithm November 1998
It is suggested that DES is not a good encryption algorithm for the
protection of even moderate value information in the face of such
equipment. Triple DES is probably a better choice for such purposes.
However, despite these potential risks, the level of privacy provided
by use of ESP DES-CBC in the Internet environment is far greater than
sending the datagram as cleartext.
The case for using random values for IVs has been refined with the
following summary provided by Steve Bellovin. Refer to [Bell97] for
further information.
"The problem arises if you use a counter as an IV, or some other
source with a low Hamming distance between successive IVs, for
encryption in CBC mode. In CBC mode, the "effective plaintext"
for an encryption is the XOR of the actual plaintext and the
ciphertext of the preceeding block. Normally, that's a random
value, which means that the effective plaintext is quite random.
That's good, because many blocks of actual plaintext don't change
very much from packet to packet, either.
For the first block of plaintext, though, the IV takes the place
of the previous block of ciphertext. If the IV doesn't differ
much from the previous IV, and the actual plaintext block doesn't
differ much from the previous packet's, then the effective
plaintext won't differ much, either. This means that you have
pairs of ciphertext blocks combined with plaintext blocks that
differ in just a few bit positions. This can be a wedge for
assorted cryptanalytic attacks."
The discussion on IVs has been updated to require that an
implementation not use a low-Hamming distance source for IVs.
7. References
[Bell95] Bellovin, S., "An Issue With DES-CBC When Used Without
Strong Integrity", Presentation at the 32nd Internet
Engineering Task Force, Danvers Massachusetts, April
1995.
[Bell96] Bellovin, S., "Problem Areas for the IP Security
Protocols", Proceedings of the Sixth Usenix Security
Symposium, July 1996.
Madson & Doraswamy Standards Track [Page 6]
RFC 2405 The ESP DES-CBC Cipher Algorithm November 1998
[Bell97] Bellovin, S., "Probable Plaintext Cryptanalysis of the
IP Security Protocols", Proceedings of the Symposium on
Network and Distributed System Security, San Diego, CA,
pp. 155-160, February 1997 (also
http://www.research.att.com/~smb/papers/probtxt.{ps,
pdf}).
[BS93] Biham, E., and A. Shamir, "Differential Cryptanalysis of
the Data Encryption Standard", Berlin: Springer-Verlag,
1993.
[Blaze96] Blaze, M., Diffie, W., Rivest, R., Schneier, B.,
Shimomura, T., Thompson, E., and M. Wiener, "Minimal Key
Lengths for Symmetric Ciphers to Provide Adequate
Commercial Security", currently available at
http://www.bsa.org/policy/encryption/cryptographers.html.
[CN94] Carroll, J.M., and S. Nudiati, "On Weak Keys and Weak
Data: Foiling the Two Nemeses", Cryptologia, Vol. 18
No. 23 pp. 253-280, July 1994.
[FIPS-46-2] US National Bureau of Standards, "Data Encryption
Standard", Federal Information Processing Standard
(FIPS) Publication 46-2, December 1993,
http://www.itl.nist.gov/div897/pubs/fip46-2.htm
(supercedes FIPS-46-1).
[FIPS-74] US National Bureau of Standards, "Guidelines for
Implementing and Using the Data Encryption Standard",
Federal Information Processing Standard (FIPS)
Publication 74, April 1981,
http://www.itl.nist.gov/div897/pubs/fip74.htm.
[FIPS-81] US National Bureau of Standards, "DES Modes of
Operation", Federal Information Processing Standard
(FIPS) Publication 81, December 1980,
http://www.itl.nist.gov/div897/pubs/fip81.htm.
[Matsui94] Matsui, M., "Linear Cryptanalysis method for DES
Cipher", Advances in Cryptology -- Eurocrypt '93
Proceedings, Berlin: Springer-Verlag, 1994.
[RFC-1750] Eastlake, D., Crocker, S., and J. Schiller, "Randomness
Recommendations for Security", RFC 1750, December 1994.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Madson & Doraswamy Standards Track [Page 7]
RFC 2405 The ESP DES-CBC Cipher Algorithm November 1998
[Schneier96] Schneier, B., "Applied Cryptography Second Edition",
John Wiley & Sons, New York, NY, 1996. ISBN 0-471-
12845-7.
[Wiener94] Wiener, M.J., "Efficient DES Key Search", School of
Computer Science, Carleton University, Ottawa, Canada,
TR-244, May 1994. Presented at the Rump Session of
Crypto '93. [Reprinted in "Practical Cryptography for
Data Internetworks", W.Stallings, editor, IEEE Computer
Society Press, pp.31-79 (1996). Currently available at
ftp://ripem.msu.edu/pub/crypt/docs/des-key-search.ps.]
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[AH] Kent, S., and R. Atkinson, "IP Authentication Header
(AH)", RFC 2402, November 1998.
[arch] Kent, S., and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998.
[road] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998.
8. Acknowledgments
Much of the information provided here originated with various ESP-DES
documents authored by Perry Metzger and William Allen Simpson,
especially the Security Considerations section.
This document is also derived in part from previous works by Jim
Hughes, those people that worked with Jim on the combined DES-
CBC+HMAC-MD5 ESP transforms, the ANX bakeoff participants, and the
members of the IPsec working group.
Thanks to Rob Glenn for assisting with the nroff formatting.
Madson & Doraswamy Standards Track [Page 8]
RFC 2405 The ESP DES-CBC Cipher Algorithm November 1998
The IPSec working group can be contacted via the IPSec working
group's mailing list (ipsec@tis.com) or through its chairs:
Robert Moskowitz
International Computer Security Association
EMail: rgm@icsa.net
Theodore Y. Ts'o
Massachusetts Institute of Technology
EMail: tytso@MIT.EDU
9. Editors' Addresses
Cheryl Madson
Cisco Systems, Inc.
EMail: cmadson@cisco.com
Naganand Doraswamy
Bay Networks, Inc.
EMail: naganand@baynetworks.com
Madson & Doraswamy Standards Track [Page 9]
RFC 2405 The ESP DES-CBC Cipher Algorithm November 1998
10. Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Madson & Doraswamy Standards Track [Page 10]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?