<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: "CIPE-list" <cipe-l,AT,inka,DOT,de>
Subject: Relevant information
From: "Hans Steegers" <hsx,AT,dds,DOT,nl>
Date: Sun, 28 Sep 2003 23:49:43 +0200
Reply-to: "Hans Steegers" <steegers,AT,steegers,DOT,nl>

The following information is IMHO relevant for a discussion on CIPE's future
and may help to discuss this future based on facts rather than on FUD.

Linux Journal:
[1] The Linux Kernel Cryptographic API -  James Morris
http://www.linuxjournal.com/print.php?sid=6451
*** Jake Appelbaum, Mark Tinberg, PLEASE READ THIS:
"Compression--this is often used in conjunction with encryption so that it
is more difficult to exploit weaknesses related to the original plain text
as well as to speed up encryption (i.e., compressed plain text is shorter).
By definition, encrypted data should be difficult to compress, but this
adversely affects performance over links that normally utilize compression.
Compressing data before encryption helps reduce this performance hit in many
cases. Examples of compression algorithms are LZS and Deflate."
[Ref: http://www.linuxjournal.com/print.php?sid=6451 (Algorithms - 3)]

[2] The IP Security Protocol, Part 1
http://www.linuxjournal.com/print.php?sid=6117
[3] The IP Security Protocol, Part 2
http://www.linuxjournal.com/print.php?sid=6316

NIST:
[4] FIPS PUB 198 - HMAC
http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf/

[5] FIBS PUB 180-2 - SH Standard (SHA-1, SHA-256, SHA-384 and SHA-512 )
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

[6] http://www.ietf.org/rfc/rfc*.txt
RFC 1321 - The MD5 Message-Digest Algorithm
RFC 2085 - HMAC-MD5 IP Authentication with Replay Prevention
RFC 2104 - HMAC
RFC 2202 - Test Cases for HMAC-MD5 and HMAC-SHA-1
RFC 2401 - Security Architecture for the Internet Protocol
RFC 2404 - The Use of HMAC-SHA-1-96 within ESP and AH
RFC 2411 - IP Security Document Roadmap
RFC 2451 - The ESP CBC-Mode Cipher Algorithms
...

[7] More references at:
http://www.ietf.org/html.charters/ipsec-charter.html

[8] HOWTOS:
http://www.tldp.org/HOWTO/VPN-HOWTO/ [2002-05]
http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO [2000-10] ** dated **
Traffic that uses the AH protocol cannot be masqueraded. The AH protocol
incorporates a cryptographic checksum across the IP addresses that the
masquerade gateway cannot correctly regenerate. Thus, all masqueraded AH
traffic will be discarded as having invalid checksums.
IPsec traffic using transport-mode ESP also cannot be reliably masqueraded.
Transport mode ESP essentially encrypts everything after the IP header.
Since, for example, the TCP and UDP checksums include the IP source and
destination addresses, and the TCP/UDP checksum is within the encrypted
payload and thus cannot be recalculated after the masquerade gateway alters
the IP addresses, the TCP/UDP header will fail the checksum test at the
remote gateway and the packet will be discarded. Protocols that do not
include information about the source or destination IP addresses may
successfully use masqueraded transport mode.
[Ref: http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO-6.html#ss6.1]

[9] CRC
* A PAINLESS GUIDE TO CRC ERROR DETECTION ALGORITHMS
ftp://ftp.rocksoft.com/papers/crc_v3.txt
* CRC-xx Collision Test by Matt Dillon:
http://apollo.backplane.com/matt/crc64.html
(Looks like a CRC-64 is safe..)
* A hard-wired CRC-64 implementation
http://lists.boost.org/MailArchives/boost/msg27062.php
http://lists.boost.org/MailArchives/boost/msg27077.php
* general crc
http://www2.rad.com/networks/1994/err_con/crc.htm
* CRC-32 vulnerability in SSH1
http://www.kb.cert.org/vuls/id/25309
* Denial of service attack against SSH key exchange
http://www.hut.fi/~mkousa/ssh/ssh-dos.html

[10] Abbreviations:
AH   Authentication Header (IPSec)
ESP  Encapsulating Security Payload (IPSec)
MAC  Message Authentication Code
HMAC Hashing MAC
SHA  Secure HAsh
CBC  Cipher Block Chaining
IV   Initial Vector

[11] Note that SHA comes from the National S{neek|noop|pook|ecurity} Agency.
The NSA fooled the public once: DES coded messages could easily be decoded
by the NSA for 20 (!!!) years before the (so called expert) cryptographers
discovered differential crypto-analysis and found this weakness.

[12]
My conclusion is: we still need CIPE (speed, simplicity, elegance) and it
fits extremely well in the new kernel using the new crypto/compression api.

__________________________________________________
Hans Steegers


<< | Thread Index | >> ]    [ << | Date Index | >> ]