On 04 Dec 2015, at 07:56, Valery Smyslov <sva...@gmail.com> wrote: > Hi Bryan, > > I guess Dmitry is talking about the trick when each datagram is encrypted > with its own key, > derived from the "master" session key using some unique public parameter of > the datagram, > like its sequence_number. This trick makes attacks on encryption key almost > useless. > It is not specifically bound to GOST cipher, however it is sometimes used > with this cipher > to deal with its short (by current standards) block size. See for example the > (now expired) draft > https://www.ietf.org/archive/id/draft-fedchenko-ipsecme-cpesp-gost-04.txt > <https://www.ietf.org/archive/id/draft-fedchenko-ipsecme-cpesp-gost-04.txt> > (it is about ESP, but the general principles are the same for DTLS).
Ah, I see - thanks for the clarification. > As far as I understand your proposal makes impossible to use this trick, > if we consider packets loss and reordering. Actually, if I’m understanding correctly how you’re doing this per-datagram rekeying, I think it still should be compatible with the hash-table-based approach I proposed. Assuming you’re using some key derivation function that takes a master key and sequence number as input and produces a per-datagram key, the receiver just needs to pre-compute the per-datagram keys for the sequence numbers within the current window, and encrypt the sequence numbers with those respective per-datagram keys, in order to populate its hash table. I don’t think anything breaks at least. Cheers Bryan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
