The ESP DES-CBC Cipher Algorithm With Explicit IV
RFC 2405
Document Type RFC - Proposed Standard (November 1998; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2405 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          C. Madson
Request for Comments: 2405                           Cisco Systems, Inc.
Category: Standards Track                                   N. Doraswamy
                                                      Bay Networks, Inc.
                                                           November 1998

                    The ESP DES-CBC Cipher Algorithm
                            With Explicit IV

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   This document describes the use of the DES Cipher algorithm in Cipher
   Block Chaining Mode, with an explicit IV, as a confidentiality
   mechanism within the context of the IPSec Encapsulating Security
   Payload (ESP).

1. Introduction

   This document describes the use of the DES Cipher algorithm in Cipher
   Block Chaining Mode as a confidentiality mechanism within the context
   of the Encapsulating Security Payload.

   DES is a symmetric block cipher algorithm. The algorithm is described
   in [FIPS-46-2][FIPS-74][FIPS-81]. [Schneier96] provides a general
   description of Cipher Block Chaining Mode, a mode which is applicable
   to several encryption algorithms.

   As specified in this memo, DES-CBC is not an authentication
   mechanism. [Although DES-MAC, described in [Schneier96] amongst other
   places, does provide authentication, DES-MAC is not discussed here.]

   For further information on how the various pieces of ESP fit together
   to provide security services, refer to [ESP] and [road].

Madson & Doraswamy          Standards Track                     [Page 1]
RFC 2405            The ESP DES-CBC Cipher Algorithm       November 1998

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC-2119].

2. Algorithm and Mode

   DES-CBC is a symmetric secret-key block algorithm. It has a block
   size of 64 bits.

   [FIPS-46-2][FIPS-74] and [FIPS-81] describe the DES algorithm, while
   [Schneier96] provides a good description of CBC mode.

2.1 Performance

   Phil Karn has tuned DES-CBC software to achieve 10.45 Mbps with a 90
   MHz Pentium, scaling to 15.9 Mbps with a 133 MHz Pentium.  Other DES
   speed estimates may be found in [Schneier96].

3. ESP Payload

   DES-CBC requires an explicit Initialization Vector (IV) of 8 octets
   (64 bits).  This IV immediately precedes the protected (encrypted)
   payload. The IV MUST be a random value.

   Including the IV in each datagram ensures that decryption of each
   received datagram can be performed, even when some datagrams are
   dropped, or datagrams are re-ordered in transit.

   Implementation note:

      Common practice is to use random data for the first IV and the
      last 8 octets of encrypted data from an encryption process as the
      IV for the next encryption process; this logically extends the CBC
      across the packets. It also has the advantage of limiting the
      leakage of information from the random number genrator. No matter
      which mechnism is used, the receiver MUST NOT assume any meaning
      for this value, other than that it is an IV.

      To avoid ECB encryption of very similar plaintext blocks in
      different packets, implementations MUST NOT use a counter or other
      low-Hamming distance source for IVs.

   The payload field, as defined in [ESP], is broken down according to
   the following diagram:

Madson & Doraswamy          Standards Track                     [Page 2]
RFC 2405            The ESP DES-CBC Cipher Algorithm       November 1998

      +---------------+---------------+---------------+---------------+
      |                                                               |
      +                   Initialization Vector (IV)                  +
      |                                                               |
      +---------------+---------------+---------------+---------------+
      |                                                               |
      ~              Encrypted Payload (variable length)              ~
      |                                                               |
      +---------------------------------------------------------------+
       1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8

3.1 Block Size and Padding

   The DES-CBC algorithm described in this document MUST use a block
   size of 8 octets (64 bits).

   When padding is required, it MUST be done according to the
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools