[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: 'Encryption and Checksum Specifications for Kerberos 5' to Proposed Standard
- To: iesg@ietf.org
- Subject: Re: Last Call: 'Encryption and Checksum Specifications for Kerberos 5' to Proposed Standard
- From: Simon Josefsson <jas@extundo.com>
- Date: Mon, 08 Sep 2003 18:37:17 +0200
- In-reply-to: <E19wNUl-0000iH-GO@asgard.ietf.org> (The IESG's message of "Mon, 08 Sep 2003 10:59:59 -0400")
- References: <E19wNUl-0000iH-GO@asgard.ietf.org>
- User-agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3.50 (gnu/linux)
Repeating post to WG <ilu4r0790ch.fsf@latte.josefsson.org> related to
initialization vectors defined by the current version of the document:
encryption function conf = random string of length c
pad = shortest string to bring confounder
and plaintext to a length that's a
multiple of m
C1 = E(Ke, conf | plaintext | pad,
oldstate.ivec)
H1 = HMAC(Ki, conf | plaintext | pad)
ciphertext = C1 | H1[1..h]
newstate.ivec = last c of C1
The last line is problematic, using the last encrypted cipher block as
next IV is in general not a good idea.
The AES document uses CBC with CTS, which in some situations amount to
swapping the final two blocks, thus causing one IV to be used twice.
Thanks,
Simon
The IESG <iesg-secretary@ietf.org> writes:
> The IESG has received a request from the Kerberos WG WG to consider the following document:
>
> - 'Encryption and Checksum Specifications for Kerberos 5'
> <draft-ietf-krb-wg-crypto-05.txt> as a Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send any comments to the
> iesg@ietf.org or ietf@ietf.org mailing lists by 2003-09-22.
>
> The file can be obtained via
> http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-crypto-05.txt