Guru
Joined: 07/08/2011
Location: AustraliaPosts: 6506
| Posted: 12:48am 21 Dec 2024 |
From http://www.ietf.org/rfc/rfc3602.txt.
2.1. Mode
NIST has defined 5 modes of operation for AES and other FIPS-approved
ciphers [MODES]: CBC (Cipher Block Chaining), ECB (Electronic
CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack) and CTR
(Counter). The CBC mode is well-defined and well-understood for
symmetric ciphers, and is currently required for all other ESP
ciphers. This document specifies the use of the AES cipher in CBC
mode within ESP. This mode requires an Initialization Vector (IV)
that is the same size as the block size. Use of a randomly generated
IV prevents generation of identical ciphertext from packets which
have identical data that spans the first block of the cipher
algorithm's block size.
The IV is XOR'd with the first plaintext block before it is
encrypted. Then for successive blocks, the previous ciphertext block
is XOR'd with the current plaintext, before it is encrypted.
More information on CBC mode can be obtained in [MODES, CRYPTO-S].
For the use of CBC mode in ESP with 64-bit ciphers, see [CBC].
...
3. ESP Payload
The ESP payload is made up of the IV followed by raw cipher-text.
Thus the payload field, as defined in [ESP], is broken down according
to the following diagram:
+---------------+---------------+---------------+---------------+
| |
+ Initialization Vector (16 octets) +
| |
+---------------+---------------+---------------+---------------+
| |
~ Encrypted Payload (variable length, a multiple of 16 octets) ~
| |
+---------------------------------------------------------------+
The IV field MUST be the same size as the block size of the cipher
algorithm being used. The IV MUST be chosen at random, and MUST be
unpredictable.
Including the IV in each datagram ensures that decryption of each
received datagram can be performed, even when some datagrams are
dropped, or datagrams are re-ordered in transit.
To avoid CBC encryption of very similar plaintext blocks in different
packets, implementations MUST NOT use a counter or other low-Hamming
distance source for IVs.
NIST has defined 5 modes of operation for AES and other FIPS-approved
ciphers [MODES]: CBC (Cipher Block Chaining), ECB (Electronic
CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack) and CTR
(Counter). The CBC mode is well-defined and well-understood for
symmetric ciphers, and is currently required for all other ESP
ciphers. This document specifies the use of the AES cipher in CBC
mode within ESP. This mode requires an Initialization Vector (IV)
that is the same size as the block size. Use of a randomly generated
IV prevents generation of identical ciphertext from packets which
have identical data that spans the first block of the cipher
algorithm's block size.
The IV is XOR'd with the first plaintext block before it is
encrypted. Then for successive blocks, the previous ciphertext block
is XOR'd with the current plaintext, before it is encrypted.
More information on CBC mode can be obtained in [MODES, CRYPTO-S].
For the use of CBC mode in ESP with 64-bit ciphers, see [CBC].
...
3. ESP Payload
The ESP payload is made up of the IV followed by raw cipher-text.
Thus the payload field, as defined in [ESP], is broken down according
to the following diagram:
+---------------+---------------+---------------+---------------+
| |
+ Initialization Vector (16 octets) +
| |
+---------------+---------------+---------------+---------------+
| |
~ Encrypted Payload (variable length, a multiple of 16 octets) ~
| |
+---------------------------------------------------------------+
The IV field MUST be the same size as the block size of the cipher
algorithm being used. The IV MUST be chosen at random, and MUST be
unpredictable.
Including the IV in each datagram ensures that decryption of each
received datagram can be performed, even when some datagrams are
dropped, or datagrams are re-ordered in transit.
To avoid CBC encryption of very similar plaintext blocks in different
packets, implementations MUST NOT use a counter or other low-Hamming
distance source for IVs.
A random iv is the correct way to go.
Jim