From owner-freebsd-net@FreeBSD.ORG Wed Dec 10 08:28:20 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14C00106564A; Wed, 10 Dec 2008 08:28:20 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id B27978FC1E; Wed, 10 Dec 2008 08:28:19 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=keSpl9tdPK79Ej23nSOnP3111KEqk+B781DzzTKtIAlR39s7qHK/BOo5CgIIt+EeQe9thvnN6HaCWiHpqpmc89/AY2wdp5TQgH3Htl4ANT5gF0Nhl05fxdNuDE2KiJ42ABNiSuq+Z4vf/29eqYgpPmHiRuuSA1cYbJl/WXv28Wc=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1LAKQc-0002ZL-Dn; Wed, 10 Dec 2008 11:28:18 +0300 Date: Wed, 10 Dec 2008 11:28:17 +0300 From: Eygene Ryabinkin To: VANHULLEBUS Yvan Message-ID: References: <49349E26.30002@redhat.com> <20081203082549.GA62889@zeninc.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YttKMwf6abDJOSyE" Content-Disposition: inline In-Reply-To: <20081203082549.GA62889@zeninc.net> Sender: rea-fbsd@codelabs.ru Cc: freebsd-net@freebsd.org, Christian Weisgerber , gnn@freebsd.org Subject: Re: [ipsec] aes-ctr question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2008 08:28:20 -0000 --YttKMwf6abDJOSyE Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Yvan, good day. Wed, Dec 03, 2008 at 09:25:49AM +0100, VANHULLEBUS Yvan wrote: > On Wed, Dec 03, 2008 at 10:54:55AM +0300, Eygene Ryabinkin wrote: > [...] > > Good catch. Perhaps setkey should be extended to warn the user about > > this neat. The patch is attached. George, people, what do you think > > about it? >=20 > If we're going to add security warnings in setkey, we could just put a > warning when using static keys (so basically put a warning for "add" > command....). In general -- you're perfectly right: people should use IKE and company. But CTR mode is particularily evil in respect to the nonce sinsitivity: for the given key and initialization vector it will produce the same gamma (running key in English terminology) used for encryption and decryption. But we seem to be more-or-less safe here: IV is generated randomly, so one will have 2^64 different initialization vectors for a single passphrase. Sooo, the issue seems to be of a less value, but still -- it is here. And for passive attacker who has access to all CTR mode sessions with static keys will be rather simple to analyze for the gamma coincidence: providing that the first bytes of the packets to be encrypted are the same (think UDP/TCP header of something simular), then it should just XOR the stream beginnings and wait when the bits that correspond to the same (constant) bits of the payload will be zeroed. Sufficient number of zeros will indicate gamma coincidence and one can focus on further fun with such streams. Of course, I may be missing something. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --YttKMwf6abDJOSyE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkk/faEACgkQthUKNsbL7YjQ5wCgtIylNp1663zN1UAqaSguoOj2 RJAAoKDTQmFOZ0SOi6mwpWCI8RAUEYh5 =agz9 -----END PGP SIGNATURE----- --YttKMwf6abDJOSyE--