draft-ietf-ipsec-ciph-des-expiv-00.txt   draft-ietf-ipsec-ciph-des-expiv-01.txt 
Network Working Group IPsec Working Group Network Working Group IPsec Working Group
INTERNET DRAFT C. Madson INTERNET DRAFT C. Madson
Expires in six months Cisco Systems, Inc. Expires in Six Months Cisco Systems, Inc.
N. Doraswamy N. Doraswamy
Bay Networks, Inc. Bay Networks, Inc.
July 1997 November 1997
The ESP DES-CBC Cipher Algorithm The ESP DES-CBC Cipher Algorithm
With Explicit IV With Explicit IV
<draft-ietf-ipsec-ciph-des-expiv-00.txt> <draft-ietf-ipsec-ciph-des-expiv-01.txt>
Status of this Memo Status of this Memo
This document is a submission to the IETF Internet Protocol Security This document is a submission to the IETF Internet Protocol Security
(IPSEC) Working Group. Comments are solicited and should be addressed (IPSEC) Working Group. Comments are solicited and should be addressed
to the working group mailing list (ipsec@tis.com) or to the editor. to the working group mailing list (ipsec@tis.com) or to the authors.
This document is an Internet-Draft. Internet Drafts are working This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working Groups. Note that other groups may also distribute and its working Groups. Note that other groups may also distribute
working documents as Internet Drafts. working documents as Internet Drafts.
Internet-Drafts draft documents are valid for a maximum of six months Internet-Drafts draft documents are valid for a maximum of six months
and may be updated, replaced, or obsolete by other documents at any and may be updated, replaced, or obsolete by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
skipping to change at page 2, line 5 skipping to change at page 2, line 5
Distribution of this memo is unlimited. Distribution of this memo is unlimited.
Abstract Abstract
This document describes the use of the DES Cipher algorithm in Cipher This document describes the use of the DES Cipher algorithm in Cipher
Block Chaining Mode, with an explicit IV, as a confidentiality Block Chaining Mode, with an explicit IV, as a confidentiality
mechanism within the context of the IPSec Encapsulating Security mechanism within the context of the IPSec Encapsulating Security
Payload (ESP). Payload (ESP).
INTERNET DRAFT November 1997 Expires in Six Months
1. Introduction 1. Introduction
This document describes the use of the DES Cipher algorithm in Cipher This document describes the use of the DES Cipher algorithm in Cipher
Block Chaining Mode as a confidentiality mechanism within the context Block Chaining Mode as a confidentiality mechanism within the context
of the Encapsulating Security Payload. of the Encapsulating Security Payload.
DES is a symmetric block cipher algorithm. The algorithm is described DES is a symmetric block cipher algorithm. The algorithm is described
in [FIPS-46][FIPS-46-1][FIPS-74][FIPS-81]. [Simpson97a] provides a in [FIPS-46][FIPS-46-1][FIPS-74][FIPS-81]. [Schneier96] provides a
general description of Cipher Block Chaining Mode, a mode which is general description of Cipher Block Chaining Mode, a mode which is
applicable to several encryption algorithms. applicable to several encryption algorithms.
As specified in this draft, DES-CBC is not an authentication As specified in this draft, DES-CBC is not an authentication
mechanism. [Although DES-MAC, described in [Schneier96] amongst other mechanism. [Although DES-MAC, described in [Schneier96] amongst other
places, does provide authentication, DES-MAC is not discussed here.] places, does provide authentication, DES-MAC is not discussed here.]
For further information on how the various pieces of ESP fit together For further information on how the various pieces of ESP fit together
to provide security services, refer to [ESP] and [Thayer97a]. to provide security services, refer to [ESP] and [Thayer97].
In this document, the keywords "MAY", "MUST", "optional", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"recommended", "required", "SHOULD", and "SHOULD NOT", are to be "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
interpreted as described in [RFC-2119]. document are to be interpreted as described in [RFC-2119].
2. Algorithm and Mode 2. Algorithm and Mode
DES-CBC is a symmetric secret-key block algorithm. It has a block DES-CBC is a symmetric secret-key block algorithm. It has a block
size of 64 bits. size of 64 bits.
[FIPS-46][FIPS-46-1][FIPS-74] and [FIPS-81] describe the DES [FIPS-46][FIPS-46-1][FIPS-74] and [FIPS-81] describe the DES
algorithm, while [Simpson97a] provides a good description of CBC algorithm, while [Schneier96] provides a good description of CBC
mode. mode.
2.1 Performance 2.1 Performance
Phil Karn has tuned DES-CBC software to achieve 10.45 Mbps with a 90 Phil Karn has tuned DES-CBC software to achieve 10.45 Mbps with a 90
MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium. Other DES MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium. Other DES
speed estimates may be found in [Schneier96]. speed estimates may be found in [Schneier96].
3. ESP Payload 3. ESP Payload
skipping to change at page 2, line 58 skipping to change at page 3, line 4
Including the IV in each datagram ensures that decryption of each Including the IV in each datagram ensures that decryption of each
received datagram can be performed, even when some datagrams are received datagram can be performed, even when some datagrams are
dropped, or datagrams are re-ordered in transit. dropped, or datagrams are re-ordered in transit.
Implementation note: Implementation note:
Common practice is to use random data for the first IV and the Common practice is to use random data for the first IV and the
last 8 octets of encrypted data from an encryption process as the last 8 octets of encrypted data from an encryption process as the
IV for the next encryption process; this logically extends the CBC IV for the next encryption process; this logically extends the CBC
across the packets. It also has the advantage of limiting the across the packets. It also has the advantage of limiting the
INTERNET DRAFT November 1997 Expires in Six Months
leakage of information from the random number genrator. No matter leakage of information from the random number genrator. No matter
which mechnism is used, the receiver MUST NOT assume any meaning which mechnism is used, the receiver MUST NOT assume any meaning
for this value, other than that it is an IV. for this value, other than that it is an IV.
The payload field, as defined in [ESP], is broken down according to The payload field, as defined in [ESP], is broken down according to
the following diagram: the following diagram:
+---------------+---------------+---------------+---------------+ +---------------+---------------+---------------+---------------+
| | | |
+ Initialization Vector (IV) + + Initialization Vector (IV) +
skipping to change at page 3, line 26 skipping to change at page 3, line 30
~ Encrypted Payload (variable length) ~ ~ Encrypted Payload (variable length) ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
3.1 Block Size and Padding 3.1 Block Size and Padding
The DES-CBC algorithm described in this document MUST use a block The DES-CBC algorithm described in this document MUST use a block
size of 8 octets (64 bits). size of 8 octets (64 bits).
When padding is required, it SHOULD be done according to the When padding is required, it MUST be done according to the
conventions specified in [ESP]. conventions specified in [ESP].
4. Key Material 4. Key Material
DES-CBC is a symmetric secret key algorithm. The key size is 64-bits. DES-CBC is a symmetric secret key algorithm. The key size is 64-bits.
[It is commonly known as a 56-bit key as the key has 56 significant [It is commonly known as a 56-bit key as the key has 56 significant
bits; these 56 bits are stored in an 8-byte (64- bit) value, where bits; these 56 bits are stored in an 8-byte (64- bit) value, where
each byte has seven significant bits from the 56-bit value and the each byte has seven significant bits from the 56-bit value and the
least significant bit is used as a parity bit.] least significant bit is used as a parity bit.]
[some document] describes the general mechanism to derive keying [ESP] describes the general mechanism to derive keying material for
material for the ESP transform. The derivation of the key from some the ESP transform. The derivation of the key from some amount of
amount of keying material does not differ between the manually- and keying material does not differ between the manually- and
automatically-keyed security associations. automatically-keyed security associations.
The mechanism MUST derive a 64-bit key value for use by this cipher. The mechanism MUST derive a 64-bit key value for use by this cipher.
This derived value MUST be adjusted for parity as necessary. Weak key This derived value MUST be adjusted for parity as necessary. Weak key
checks will be performed and << behavior to be defined>> checks will be performed; if a weak key is dicovered, the key will be
rejected and IPSEC will request a new SA.
4.1 Weak Keys 4.1 Weak Keys
DES has 64 known weak keys, including so-called semi-weak keys and DES has 64 known weak keys, including so-called semi-weak keys and
possibly-weak keys (from [Schneier96], shown here in hex with parity possibly-weak keys (from [Schneier96] -- corrected version provided
bits): by William Allan Simpson -- shown here in hex with parity bits):
0101 0101 0101 0101 0101 0101 0101 0101
1f1f 1f1f 0e0e 0e0e 1f1f 1f1f 0e0e 0e0e
e0e0 e0e0 f1f1 f1f1 e0e0 e0e0 f1f1 f1f1
fefe fefe fefe fefe fefe fefe fefe fefe
INTERNET DRAFT November 1997 Expires in Six Months
semi-weak key pairs: semi-weak key pairs:
01fe 01fe 01fe 01fe fe01 fe01 fe01 fe01 01fe 01fe 01fe 01fe fe01 fe01 fe01 fe01
1fe0 1fe0 0ef1 0ef1 e0f1 e0f1 f10e f10e 1fe0 1fe0 0ef1 0ef1 e0f1 e0f1 f10e f10e
01e0 01e0 01f1 01f1 e001 e001 f101 f101 01e0 01e0 01f1 01f1 e001 e001 f101 f101
1ffe 1ffe 0efe 0efe fe1f fe1f fe0e fe0e 1ffe 1ffe 0efe 0efe fe1f fe1f fe0e fe0e
011f 011f 010e 010e 1f01 1f01 0e01 0e01 011f 011f 010e 010e 1f01 1f01 0e01 0e01
e0fe e0fe f1fe f1fe fee0 fee0 fef1 fef1 e0fe e0fe f1fe f1fe fee0 fee0 fef1 fef1
possibly-weak keys: possibly-weak keys:
skipping to change at page 4, line 50 skipping to change at page 4, line 53
1fe0 e01f 0ef1 f10e fefe e0e0 fefe f1f1 1fe0 e01f 0ef1 f10e fefe e0e0 fefe f1f1
01fe e01f 01fe f10e e0fe fee0 f1fe fef1 01fe e01f 01fe f10e e0fe fee0 f1fe fef1
01e0 fe1f 01f1 fe0e fee0 e0fe fef1 f1fe 01e0 fe1f 01f1 fe0e fee0 e0fe fef1 f1fe
1ffe fe1f 0efe fe0e e0e0 fefe f1f1 fefe 1ffe fe1f 0efe fe0e e0e0 fefe f1f1 fefe
Implementations SHOULD take care not to select weak keys [CN94], Implementations SHOULD take care not to select weak keys [CN94],
although the likelihood of picking one at random is negligible. although the likelihood of picking one at random is negligible.
4.2 Key Lifetime 4.2 Key Lifetime
[Simpson97a] discusses collisions, which can provide information that There are no current recommendations for key lifetime.
an attacker can use to recover the key.
[***need reference info here***] The maximum key lifetime is 2**32
64-byte blocks. The recommended key lifetime is ***** bytes and *****
seconds.
5. Interaction with Authentication Algorithms 5. Interaction with Authentication Algorithms
As of this writing, there are no known issues which preclude the use As of this writing, there are no known issues which preclude the use
of the DES-CBC algorithm with any specific authentication algorithm. of the DES-CBC algorithm with any specific authentication algorithm.
INTERNET DRAFT November 1997 Expires in Six Months
6. Security Considerations 6. Security Considerations
[Much of this section was originally written by William Allen Simpson [Much of this section was originally written by William Allen Simpson
and Perry Metzger.] and Perry Metzger.]
Users need to understand that the quality of the security provided by Users need to understand that the quality of the security provided by
this specification depends completely on the strength of the DES this specification depends completely on the strength of the DES
algorithm, the correctness of that algorithm's implementation, the algorithm, the correctness of that algorithm's implementation, the
security of the Security Association management mechanism and its security of the Security Association management mechanism and its
implementation, the strength of the key [CN94], and upon the correct- implementation, the strength of the key [CN94], and upon the correct-
ness of the implementations in all of the participating nodes. ness of the implementations in all of the participating nodes.
The security considerations section of [Simpson97a] discusses the cut [Bell95] and [Bell96] describe a cut and paste splicing attack which
and paste splicing attack described by [Bell95, Bell96], as it applies to all Cipher Block Chaining algorithms. This attack can be
applies to all Cipher Block Chaining algorithms. addressed with the use of an authentication mechanism.
The use of the cipher mechanism without any corresponding The use of the cipher mechanism without any corresponding
authentication mechanism is strongly discouraged. This cipher can be authentication mechanism is strongly discouraged. This cipher can be
used in an ESP transform that also includes authentication; it can used in an ESP transform that also includes authentication; it can
also be used in an ESP transform that doesn't include authentication also be used in an ESP transform that doesn't include authentication
provided there is an companion AH header. Refer to [ESP], [AH], provided there is an companion AH header. Refer to [ESP], [AH],
[arch], and [Thayer97a] for more details. [arch], and [Thayer97] for more details.
[***the following paragraph edited slightly***] If self-describing When the default ESP padding is used, the padding bytes have a
padding is used, the padding bytes have a predictable value. They predictable value. They provide a small measure of tamper detection
provide a small measure of tamper detection on their own block and on their own block and the previous block in CBC mode. This makes it
the previous block in CBC mode. This makes it somewhat harder to somewhat harder to perform splicing attacks, and avoids a possible
perform splicing attacks, and avoids a possible covert channel. This covert channel. This small amount of known plaintext does not create
small amount of known plaintext does not create any problems for any problems for modern ciphers.
modern ciphers. [*** ISSUE: can't assume that SDP is in use, so the
bytes won't be predictable***]
[***the following paragraph edited slightly***] At the time of At the time of writing of this document, [BS93] demonstrated a dif-
writing of this document, [BS93] demonstrated a dif- ferential ferential cryptanalysis based chosen-plaintext attack requiring 2^47
cryptanalysis based chosen-plaintext attack requiring 2^47
plaintext-ciphertext pairs, where the size of a pair is the size of a plaintext-ciphertext pairs, where the size of a pair is the size of a
DES block (64 bits). [Matsui94] demonstrated a linear cryptanalysis DES block (64 bits). [Matsui94] demonstrated a linear cryptanalysis
based known-plaintext attack requiring only 2^43 plain- text- based known-plaintext attack requiring only 2^43 plain- text-
ciphertext pairs. Although these attacks are not considered ciphertext pairs. Although these attacks are not considered
practical, they must be taken into account. practical, they must be taken into account.
More disturbingly, [Weiner94] has shown the design of a DES cracking More disturbingly, [Weiner94] has shown the design of a DES cracking
machine costing $1 Million that can crack one key every 3.5 hours. machine costing $1 Million that can crack one key every 3.5 hours.
This is an extremely practical attack. This is an extremely practical attack.
skipping to change at page 6, line 13 skipping to change at page 6, line 5
this attack. this attack.
It is suggested that DES is not a good encryption algorithm for the It is suggested that DES is not a good encryption algorithm for the
protection of even moderate value information in the face of such protection of even moderate value information in the face of such
equipment. Triple DES is probably a better choice for such purposes. equipment. Triple DES is probably a better choice for such purposes.
However, despite these potential risks, the level of privacy provided However, despite these potential risks, the level of privacy provided
by use of ESP DES-CBC in the Internet environment is far greater than by use of ESP DES-CBC in the Internet environment is far greater than
sending the datagram as cleartext. sending the datagram as cleartext.
INTERNET DRAFT November 1997 Expires in Six Months
7. References 7. References
[Bell95] Bellovin, S., "An Issue With DES-CBC When Used Without [Bell95] Bellovin, S., "An Issue With DES-CBC When Used Without
Strong Integrity", Presentation at the 32nd Internet Engineering Strong Integrity", Presentation at the 32nd Internet Engineering
Task Force, Danvers Massachusetts, April 1995. Task Force, Danvers Massachusetts, April 1995.
[Bell96] Bellovin, S., "Problem Areas for the IP Security Protocols", [Bell96] Bellovin, S., "Problem Areas for the IP Security Protocols",
Proceedings of the Sixth Usenix Security Symposium, July 1996. Proceedings of the Sixth Usenix Security Symposium, July 1996.
[BS93] Biham, E., and Shamir, A., "Differential Cryptanalysis of [BS93] Biham, E., and Shamir, A., "Differential Cryptanalysis of
skipping to change at page 7, line 6 skipping to change at page 6, line 54
Requirement Levels", RFC-2119/BCP 14, March, 1997. Requirement Levels", RFC-2119/BCP 14, March, 1997.
[Schneier96] Schneier, B., "Applied Cryptography Second Edition", [Schneier96] Schneier, B., "Applied Cryptography Second Edition",
John Wiley & Sons, New York, NY, 1996. ISBN 0-471-12845-7. John Wiley & Sons, New York, NY, 1996. ISBN 0-471-12845-7.
[Weiner94] Wiener, M.J., "Efficient DES Key Search", School of [Weiner94] Wiener, M.J., "Efficient DES Key Search", School of
Computer Science, Carleton University, Ottawa, Canada, TR-244, May Computer Science, Carleton University, Ottawa, Canada, TR-244, May
1994. Presented at the Rump Session of Crypto '93. 1994. Presented at the Rump Session of Crypto '93.
[ESP] Kent, S., Atkinson, R., "IP Encapsulating Security Payload [ESP] Kent, S., Atkinson, R., "IP Encapsulating Security Payload
(ESP)", draft-ietf-ipsec-esp-04.txt, work in progress, May 30, 1997. (ESP)", draft-ietf-ipsec-esp-v2-02.txt, work in progress, November
1997.
[AH] Kent, S., Atkinson, R., "IP Authentication Header (AH)", [AH] Kent, S., Atkinson, R., "IP Authentication Header (AH)",
draft-ietf-ipsec-auth-05.txt, work in progress, May 30, 1997. draft-ietf-ipsec-auth-header-03.txt, work in progress, November
1997.
[arch] the security architecture doc INTERNET DRAFT November 1997 Expires in Six Months
[Simpson97a] Bill's CBC doc [arch] Kent, S., Atkinson, R., "Security Architecture for the
Internet Protocol", draft-ietf-ipsec-arch-sec-02.txt, work in
progress, November 1997.
[Thayer97a] the framework draft [Thayer97] Thayer, R., Doraswamy, N., Glenn, R., "IP Security
Document Roadmap", draft-ietf-ipsec-doc-roadmap-02.txt, work in
progress, November, 1997.
8. Acknowledgments 8. Acknowledgments
Much of the information provided here originated with various ESP-DES Much of the information provided here originated with various ESP-DES
documents authored by Perry Metzger and William Allen Simpson, documents authored by Perry Metzger and William Allen Simpson,
including the data entry of the known weak key values, and especially including the data entry of the known weak key values, and especially
the Security Considerations section. the Security Considerations section.
This document is also derived in part from previous works by Jim This document is also derived in part from previous works by Jim
Hughes, those people that worked with Jim on the combined DES- Hughes, those people that worked with Jim on the combined DES-
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/