<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: Re: CIPE-Win32: communication breakdown
From: Christof Meerwald <cmeerw,AT,web,DOT,de>
Date: Thu, 12 Jun 2003 19:50:30 +0200
In-reply-to: <200306121311.19619.dwilson@ibl.bm>
References: <Pine.LNX.4.44L0.0306121113100.1038-100000@ida.rowland.org> <200306121311.19619.dwilson@ibl.bm>

On Thu, 12 Jun 2003 13:11:19 -0300, Damion Wilson wrote:
> On Thursday 12 June 2003 12:13 pm, you wrote:
>> Sorry, I think we got a little confused over which CIPE is doing what.  If
>> it helps, here is a direct quote from cipe.texinfo:
>>   The key negotiation procedure normally runs as follows: The sender
>>   sends a NK_IND with the new key, then invalidates its own sending key.
>>   Upon receipt of NK_IND, the receiver starts using this key as its
>>   receiving key and sends a NK_ACK. When the sender receives NK_ACK, it
>>   starts using the new key as its sending key. If either of NK_IND or
>>   NK_ACK is lost in transmission, no new key will be used. The sender
>>   should send a new NK_IND (with new key) if no matching NK_ACK is
>>   received within a reasonable amount of time (current specification: 10
>>   seconds).
> And that's what I do in CIPE-Win32 (I read the same section several times).

Please show me where CIPE-Win32 invalidates the sending key when it sends a
NK_IND.

I'll try to make it a bit more clear what happens:

CIPE-Win32                      CIPE

encrypt(data, dynamic key 1) -> decrypt(data, dynamic key 1)

NK_IND(new dynamic key 2)    -> install new dynamic decryption key 2
                                send NK_ACK (this NK_ACK is lost)

encrypt(data, dynamic key 1) -> decrypt(data, dynamic key 2)

and this is what should happen:

CIPE-Win32                      CIPE

encrypt(data, dynamic key 1) -> decrypt(data, dynamic key 1)

NK_IND(new dynamic key 2)    -> install new dynamic decryption key 2
                                send NK_ACK (this NK_ACK is lost)

encrypt(data, static key)    -> decrypt(data, static key)

no NK_ACK received for some time, retry keyexchange
NK_IND(new dynamic key 3)    -> install new dynamic decryption key 3
                             <- send NK_ACK
install new dynamic key 3

encrypt(data, dynamic key 3) -> decrypt(data, dynamic key 3)

bye, Christof

-- 
http://cmeerw.org                                 JID: cmeerw,AT,jabber,DOT,at
mailto cmeerw at web.de


<< | Thread Index | >> ]    [ << | Date Index | >> ]