Paper 2005/416

Cryptography in Theory and Practice: The Case of Encryption in IPsec

Kenneth G. Paterson and Arnold K. L. Yau

Abstract

This paper studies the gaps that exist between cryptography as studied in theory, as defined in standards, as implemented by software engineers, and as actually consumed by users. Our focus is on IPsec, an important and widely-used suite of protocols providing security at the IP layer of network communications. Despite well-known results in theoretical cryptography highlighting the vulnerabilities of unauthenticated encryption, the IPsec standards currently mandate its support. We present evidence that such ``encryption-only'' configurations are in fact still often selected by users in practice, even with strong warnings advising against this in the IPsec standards. We then describe a variety of attacks against such configurations and report on their successful implementation in the case of the Linux kernel implementation of IPsec. Our attacks are realistic in their requirements, highly efficient, and recover the complete contents of IPsec-protected datagrams. Our attacks still apply when integrity protection is provided by a higher layer protocol, and in some cases even when it is supplied by IPsec itself. Finally in this paper, we reflect on the reasons why this unsatisfactory situation persists, and make some recommendations for the future development of IPsec and cryptographic software in general.

Note: This is an extended version of the Eurocrypt 2006 paper with the same title.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Unknown where it was published
Keywords
IPsecintegrityencryptionESP
Contact author(s)
kenny paterson @ rhul ac uk
History
2006-04-24: revised
2005-11-21: received
See all versions
Short URL
https://ia.cr/2005/416
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2005/416,
      author = {Kenneth G.  Paterson and Arnold K. L.  Yau},
      title = {Cryptography in Theory and Practice: The Case of Encryption in IPsec},
      howpublished = {Cryptology ePrint Archive, Paper 2005/416},
      year = {2005},
      note = {\url{https://eprint.iacr.org/2005/416}},
      url = {https://eprint.iacr.org/2005/416}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.