rfc2405.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.


RFC 2405            The ESP DES-CBC Cipher Algorithm       November 1998


   It is suggested that DES is not a good encryption algorithm for the
   protection of even moderate value information in the face of such
   equipment.  Triple DES is probably a better choice for such purposes.

   However, despite these potential risks, the level of privacy provided
   by use of ESP DES-CBC in the Internet environment is far greater than
   sending the datagram as cleartext.

   The case for using random values for IVs has been refined with the
   following summary provided by Steve Bellovin. Refer to [Bell97] for
   further information.

      "The problem arises if you use a counter as an IV, or some other
      source with a low Hamming distance between successive IVs, for
      encryption in CBC mode.  In CBC mode, the "effective plaintext"
      for an encryption is the XOR of the actual plaintext and the
      ciphertext of the preceeding block.  Normally, that's a random
      value, which means that the effective plaintext is quite random.
      That's good, because many blocks of actual plaintext don't change
      very much from packet to packet, either.

      For the first block of plaintext, though, the IV takes the place
      of the previous block of ciphertext.  If the IV doesn't differ
      much from the previous IV, and the actual plaintext block doesn't
      differ much from the previous packet's, then the effective
      plaintext won't differ much, either.  This means that you have
      pairs of ciphertext blocks combined with plaintext blocks that
      differ in just a few bit positions.  This can be a wedge for
      assorted cryptanalytic attacks."

   The discussion on IVs has been updated to require that an
   implementation not use a low-Hamming distance source for IVs.

7. References

   [Bell95]     Bellovin, S., "An Issue With DES-CBC When Used Without
                Strong Integrity", Presentation at the 32nd Internet
                Engineering Task Force, Danvers Massachusetts, April
                1995.

   [Bell96]     Bellovin, S., "Problem Areas for the IP Security
                Protocols", Proceedings of the Sixth Usenix Security
                Symposium, July 1996.








Madson & Doraswamy          Standards Track                     [Page 6]

RFC 2405            The ESP DES-CBC Cipher Algorithm       November 1998


   [Bell97]     Bellovin, S., "Probable Plaintext Cryptanalysis of the
                IP Security Protocols", Proceedings of the Symposium on
                Network and Distributed System Security, San Diego, CA,
                pp. 155-160, February 1997 (also
                http://www.research.att.com/~smb/papers/probtxt.{ps,
                pdf}).

   [BS93]       Biham, E., and A. Shamir, "Differential Cryptanalysis of
                the Data Encryption Standard", Berlin: Springer-Verlag,
                1993.

   [Blaze96]    Blaze, M., Diffie, W., Rivest, R., Schneier, B.,
                Shimomura, T., Thompson, E., and M. Wiener, "Minimal Key
                Lengths for Symmetric Ciphers to Provide Adequate
                Commercial Security", currently available at
                http://www.bsa.org/policy/encryption/cryptographers.html.

   [CN94]       Carroll, J.M., and S. Nudiati, "On Weak Keys and Weak
                Data:  Foiling the Two Nemeses", Cryptologia, Vol. 18
                No. 23 pp.  253-280, July 1994.

   [FIPS-46-2]  US National Bureau of Standards, "Data Encryption
                Standard", Federal Information Processing Standard
                (FIPS) Publication 46-2, December 1993,
                http://www.itl.nist.gov/div897/pubs/fip46-2.htm
                (supercedes FIPS-46-1).

   [FIPS-74]    US National Bureau of Standards, "Guidelines for
                Implementing and Using the Data Encryption Standard",
                Federal Information Processing Standard (FIPS)
                Publication 74, April 1981,
                http://www.itl.nist.gov/div897/pubs/fip74.htm.

   [FIPS-81]    US National Bureau of Standards, "DES Modes of
                Operation", Federal Information Processing Standard
                (FIPS) Publication 81, December 1980,
                http://www.itl.nist.gov/div897/pubs/fip81.htm.

   [Matsui94]   Matsui, M., "Linear Cryptanalysis method for DES
                Cipher", Advances in Cryptology -- Eurocrypt '93
                Proceedings, Berlin:  Springer-Verlag, 1994.

   [RFC-1750]   Eastlake, D., Crocker, S., and J. Schiller, "Randomness
                Recommendations for Security", RFC 1750, December 1994.

   [RFC-2119]   Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.




Madson & Doraswamy          Standards Track                     [Page 7]

RFC 2405            The ESP DES-CBC Cipher Algorithm       November 1998


   [Schneier96] Schneier, B., "Applied Cryptography Second Edition",
                John Wiley & Sons, New York, NY, 1996.  ISBN 0-471-
                12845-7.

   [Wiener94]   Wiener, M.J., "Efficient DES Key Search", School of
                Computer Science, Carleton University, Ottawa, Canada,
                TR-244, May 1994.  Presented at the Rump Session of
                Crypto '93. [Reprinted in "Practical Cryptography for
                Data Internetworks", W.Stallings, editor, IEEE Computer
                Society Press, pp.31-79 (1996).  Currently available at
                ftp://ripem.msu.edu/pub/crypt/docs/des-key-search.ps.]

   [ESP]        Kent, S., and R. Atkinson, "IP Encapsulating Security
                Payload (ESP)", RFC 2406, November 1998.

   [AH]         Kent, S., and R. Atkinson, "IP Authentication Header
                (AH)", RFC 2402, November 1998.

   [arch]       Kent, S., and R. Atkinson, "Security Architecture for
                the Internet Protocol", RFC 2401, November 1998.

   [road]       Thayer, R., Doraswamy, N., and R. Glenn, "IP Security
                Document Roadmap", RFC 2411, November 1998.

8. Acknowledgments

   Much of the information provided here originated with various ESP-DES
   documents authored by Perry Metzger and William Allen Simpson,
   especially the Security Considerations section.

   This document is also derived in part from previous works by Jim
   Hughes, those people that worked with Jim on the combined DES-
   CBC+HMAC-MD5 ESP transforms, the ANX bakeoff participants, and the
   members of the IPsec working group.

   Thanks to Rob Glenn for assisting with the nroff formatting.















Madson & Doraswamy          Standards Track                     [Page 8]

RFC 2405            The ESP DES-CBC Cipher Algorithm       November 1998


   The IPSec working group can be contacted via the IPSec working
   group's mailing list (ipsec@tis.com) or through its chairs:

     Robert Moskowitz
     International Computer Security Association

     EMail: rgm@icsa.net


     Theodore Y. Ts'o
     Massachusetts Institute of Technology

     EMail: tytso@MIT.EDU


9. Editors' Addresses

   Cheryl Madson
   Cisco Systems, Inc.

   EMail: cmadson@cisco.com


   Naganand Doraswamy
   Bay Networks, Inc.

   EMail: naganand@baynetworks.com
























Madson & Doraswamy          Standards Track                     [Page 9]

RFC 2405            The ESP DES-CBC Cipher Algorithm       November 1998


10.  Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
























Madson & Doraswamy          Standards Track                    [Page 10]