[Swan-dev] location of block-alignment check when decrypting?
Paul Wouters
paul at nohats.ca
Fri Jan 2 00:13:13 EET 2015
On Wed, 31 Dec 2014, D. Hugh Redelmeier wrote:
> | > Also, giving the remote end the ability to craft a packet so that only
> | > integrity is run just bugs me.
>
> | I'm personally more concerned about DDOS attacks that IKE timing
> | attacks. One would think the network already has enough variation in it
>
> I guess that that the current order makes timing attacks on integrity
> more effective: it doesn't have the mask of decrypt time. Since
> integrity algs should be designed to be resistant to timing attacks,
> this might not matter.
>
> Do you think that this is worrying?
Isn't this one reason to prefer AEAD ciphers? So that decrypt+integ is
one step and time constant regardless of whether it fails or succeeds?
We should really add aes_gcm to our default IKE proposal list once we
finish the implementation (and possible start warning about 3DES
removal)
Paul
More information about the Swan-dev
mailing list