[Swan-dev] location of block-alignment check when decrypting?
Paul Wouters
paul at nohats.ca
Wed Dec 31 20:13:35 EET 2014
On Wed, 31 Dec 2014, Andrew Cagney wrote:
> as part of integrating GCM, I'm moving the block-alignment check to
> before the integrity check vis:
>
> - check for too small, if invalid, fail
> - if needed, check payload block alignment, if invalid, fail
> - check integrity
> - if no integrity, fail
> - decrypt
> - if invalid pad-length, fail
>
> First, it makes inserting Authenticated Encryption with Associated
> Data algorithms (i.e., GCM) easier; and, second, like the small packet
> check, alignment requirements aren't exactly secret.
Sounds good.
> Also, giving the remote end the ability to craft a packet so that only
> integrity is run just bugs me. With that in mind, I'm windering if
> the code should be changed further to:
>
> - check for too small, if invalid, fail
> - if needed, check payload block alignment, if invalid, fail
> - check integrity
> - decrypt
> - if no integrity, fail
> - if invalid pad-length, fail
>
> i.e, always run both integrity and decrypt; I suspect I'm being paranoid :-)
I'm personally more concerned about DDOS attacks that IKE timing
attacks. One would think the network already has enough variation in it
for these timing attacks to work, assuming the attaker isn't local to
the CPU already (which is not really within our scope)
Perhaps Hugh can chime in on this?
Paul
More information about the Swan-dev
mailing list