Re: [ipsec] aes-ctr question

Eygene Ryabinkin Tue, 02 Dec 2008 23:55:35 -0800

Christian, good day.

Tue, Dec 02, 2008 at 08:12:28PM +0000, Christian Weisgerber wrote:
> wang_jiabo <[EMAIL PROTECTED]> wrote:
> > add 3ffe:501:ffff:103:20a:ebff:fe85:9e56
> > 3ffe:501:ffff:104:21d:fff:fe19:59fc  esp 0x1000 -m tunnel -E aes-ctr
> > "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
>
> Do not use AES-CTR with static keys!  Re-use of keys with a stream
> cipher will allow listeners to recover the plaintext.
> (See section 7 of RFC 3686.)


Good catch.  Perhaps setkey should be extended to warn the user about
this neat.  The patch is attached.  George, people, what do you think
about it?
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #

From 9e076653cefc7c987c339d7a0bfd99ad6c83bd83 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <[EMAIL PROTECTED]>
Date: Wed, 3 Dec 2008 10:48:19 +0300
Subject: [PATCH] setkey: warn user if he wants AES CTR mode

Static encryption keys are very evil with the CTR modes: they allow to
get the XORed plaintext values from two sessions sharing the same key.
Warn user about possible consequences.

There are reasons why this mode shouldn't be completely banned from the
setkey and one of them is that user can do dynamic rekeying by himself.
But in this case he would better use IKE or simular to avoid troubles.

Signed-off-by: Eygene Ryabinkin <[EMAIL PROTECTED]>
---
 sbin/setkey/parse.y |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/sbin/setkey/parse.y b/sbin/setkey/parse.y
index 4107453..6c03810 100644
--- a/sbin/setkey/parse.y
+++ b/sbin/setkey/parse.y
@@ -335,6 +335,11 @@ enc_alg
 				return -1;
 			}
 			p_alg_enc = $1;
+			if ($1 == SADB_X_EALG_AESCTR) {
+				fprintf(stderr,
+				    "WARNING: AES-CTR mode shouldn't be used with static encryption keys.\n"
+				    "WARNING: See RFC 3686, section 7 for explanations.\n");
+			}

 			p_key_enc_len = $2.len;
 			p_key_enc = $2.buf;
-- 
1.6.0.4

pgpyzLl4YmFJG.pgp
Description: PGP signature

Re: [ipsec] aes-ctr question

Reply via email to