Date: Wed, 3 Dec 2008 10:54:55 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: Christian Weisgerber <naddy@mips.inka.de> Cc: freebsd-net@freebsd.org, gnn@freebsd.org Subject: Re: [ipsec] aes-ctr question Message-ID: <JsLl5HMkEyWlPKM1sYjNK0G%2BM34@%2BFxG3S39oD8KW2mcneDQRW6aq9s> In-Reply-To: <gh44rc$11fc$1@lorvorc.mips.inka.de> References: <49349E26.30002@redhat.com> <gh44rc$11fc$1@lorvorc.mips.inka.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--mjeOt6n4R71vn6wN
Content-Type: multipart/mixed; boundary="2R+TDOstMAPx/aG/"
Content-Disposition: inline
--2R+TDOstMAPx/aG/
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Christian, good day.
Tue, Dec 02, 2008 at 08:12:28PM +0000, Christian Weisgerber wrote:
> wang_jiabo <jiabwang@redhat.com> wrote:
> > add 3ffe:501:ffff:103:20a:ebff:fe85:9e56
> > 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x1000 -m tunnel -E aes-ctr
> > "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
>
> Do not use AES-CTR with static keys! Re-use of keys with a stream
> cipher will allow listeners to recover the plaintext.
> (See section 7 of RFC 3686.)
Good catch. Perhaps setkey should be extended to warn the user about
this neat. The patch is attached. George, people, what do you think
about it?
--=20
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual =20
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20
{_.-``-' {_/ #
--2R+TDOstMAPx/aG/
Content-Type: text/x-diff; charset=koi8-r
Content-Disposition: attachment;
filename="warn-user-if-he-wants-AES-CTR-mode.diff"
Content-Transfer-Encoding: quoted-printable
=46rom 9e076653cefc7c987c339d7a0bfd99ad6c83bd83 Mon Sep 17 00:00:00 2001
=46rom: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Wed, 3 Dec 2008 10:48:19 +0300
Subject: [PATCH] setkey: warn user if he wants AES CTR mode
Static encryption keys are very evil with the CTR modes: they allow to
get the XORed plaintext values from two sessions sharing the same key.
Warn user about possible consequences.
There are reasons why this mode shouldn't be completely banned from the
setkey and one of them is that user can do dynamic rekeying by himself.
But in this case he would better use IKE or simular to avoid troubles.
Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
sbin/setkey/parse.y | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index 4107453..6c03810 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -335,6 +335,11 @@ enc_alg
return -1;
}
p_alg_enc =3D $1;
+ if ($1 =3D=3D SADB_X_EALG_AESCTR) {
+ fprintf(stderr,
+ "WARNING: AES-CTR mode shouldn't be used with static encryption ke=
ys.\n"
+ "WARNING: See RFC 3686, section 7 for explanations.\n");
+ }
=20
p_key_enc_len =3D $2.len;
p_key_enc =3D $2.buf;
--=20
1.6.0.4
--2R+TDOstMAPx/aG/--
--mjeOt6n4R71vn6wN
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkk2O08ACgkQthUKNsbL7YjvxQCeP5F9XGF/vtGjKsqIsRfXeLAz
2DUAoJUdvAf4x5UaOZeZ4/RYu4MiqpcO
=YXN6
-----END PGP SIGNATURE-----
--mjeOt6n4R71vn6wN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?JsLl5HMkEyWlPKM1sYjNK0G%2BM34>