[ipsec] aes-ctr question

Eygene Ryabinkin rea-fbsd at codelabs.ru
Wed Dec 10 00:28:20 PST 2008 

Yvan, good day.

Wed, Dec 03, 2008 at 09:25:49AM +0100, VANHULLEBUS Yvan wrote:
> On Wed, Dec 03, 2008 at 10:54:55AM +0300, Eygene Ryabinkin wrote:
> [...]
> > Good catch.  Perhaps setkey should be extended to warn the user about
> > this neat.  The patch is attached.  George, people, what do you think
> > about it?
> 
> If we're going to add security warnings in setkey, we could just put a
> warning when using static keys (so basically put a warning for "add"
> command....).

In general -- you're perfectly right: people should use IKE and company.

But CTR mode is particularily evil in respect to the nonce sinsitivity:
for the given key and initialization vector it will produce the same
gamma (running key in English terminology) used for encryption and
decryption.  But we seem to be more-or-less safe here: IV is generated
randomly, so one will have 2^64 different initialization vectors for a
single passphrase.

Sooo, the issue seems to be of a less value, but still -- it is here.
And for passive attacker who has access to all CTR mode sessions with
static keys will be rather simple to analyze for the gamma coincidence:
providing that the first bytes of the packets to be encrypted are the
same (think UDP/TCP header of something simular), then it should just
XOR the stream beginnings and wait when the bits that correspond to the
same (constant) bits of the payload will be zeroed.  Sufficient number
of zeros will indicate gamma coincidence and one can focus on further
fun with such streams.

Of course, I may be missing something.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20081210/cb893517/attachment.pgp

More information about the freebsd-net mailing list