Menu
▾
▴
Re: [Openvpn-users] security advisory for 1.0.3 concerning CFB, OFB, and DES ciphers
|
From: James Y. <ji...@nt...> - 2002-04-02 23:24:38
|
On Tue, Apr 02, 2002 at 02:05:35PM -0700, James Yonan wrote: >> * If you try to use a CFB or OFB mode cipher, OpenVPN fails to warn you that >> you also need to use the --rand-iv option. >> >> * The --rand-iv option currently does not guarantee that each IV is unique >> for a given key. Uniqueness of IV is a requirement for for CFB and OFB mode >> ciphers. OpenVPN normally uses IVs equal in size to the cipher block size >It is also required for CBC mode. Yes, but CBC mode doesn't require that the IV be unique, so using --rand-iv with CBC mode is still fine. I'm thinking that it makes more sense to make IV the default, and make the user explicitly disable and/or show a warning, since IV is really integral to all modes where multiple messages are being encrypted with the same key. What I will probably do is change the CBC IV to work like it does in IPSec: carry forward the IV from the previous datagram but explicitly record it in the datagram as well (since the datagrams are using an unreliable transport, packets could get dropped or reordered). The IPSec drafts advise against using an IV generated pseudo-randomly because they worry it could reveal too much about the inner workings of the random number generator. The CFB/OFB IV needs to be unique, so I will probably use something like [time_t (4 bytes), sequence number (4 bytes)] rather than the carried forward IV. Bruce Schneier says in "Applied Cryptography" that the IV can be an incrementing index in these modes. >> which is usually 64 bits. There is a 50% probability that if you forward >> 2^32 packets, there will be two packets that have the same IV. The next >> release of OpenVPN will ensure that each IV is unique when used with a CFB >> or OFB mode cipher. >Ah, so actually the CFB and OFB modes do use an IV, but it's just 8 bits >big? And by virtue of the birthday paradox, that would mean there's 50% >change if you forward more than 16 packets. Sorry, I meant the block size of the cipher, not the block size of the mode. CFB and OFB modes use 8 byte IVs. OpenVPN gets the IV size of a particular cipher by calling EVP_CIPHER_CTX_iv_length in OpenSSL. James |
