[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Clarification required in RFC 2831 - DIGEST-MD5
At 04:19 PM 12/20/00 +0000, Jonathan Bruce wrote:
>As part of the LDAPbis process there are a number of issues specifically related to RFC
>2831 - 'Using Digest Authentication as a SASL Mechanism' that need to be clarified. Kurt
>Zeilenga has asked that I share my concerns with this interest list.
>
>RFC 2831 specifies confidentiality protection (see section 2.4) whereby client-server
>communications can be encrypted according to a format laid out in the RFC. The difficulty
>arises when either DES or Triple DES ciphers are used for confidentiality protection.
>
>However, RFC 2831 does not specify which DES mode (CBC, ECB, PCBC, CFB, OFB etc. ..),
>should be used if DES is the negotiated cipher. This gap in the RFC allows for possible
>interoperability issues allowing different vendors to potentiality opt for incompatible
>DES modes.
At the top of page 5 of RFC 2831, the TS says:
des
the Data Encryption Standard (DES) cipher [FIPS] in cipher
block chaining (CBC) mode with a 56 bit key.
3des
the "triple DES" cipher in CBC mode with EDE with the same key
for each E stage (aka "two keys mode") for a total key length
of 112 bits.
This seems to indicate that CBC mode is to be used. Is this
not specific enough?
Are there other areas you believe need clarification?
>Possible solutions include ...
Approach 2, clarifying the specification such that interpretations
differences are narrowed to one, should be favored approach.