Cryptography in Theory and Practice: The Case of Encryption in IPsec

  • Kenneth G. Paterson
  • Arnold K. L. Yau
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4004)


Despite well-known results in theoretical cryptography highlighting the vulnerabilities of unauthenticated encryption, the IPsec standards mandate its support. We present evidence that such “encryption-only” configurations are in fact still often selected by users of IPsec in practice, even with strong warnings advising against this in the IPsec standards. We then describe a variety of attacks against such configurations and report on their successful implementation in the case of the Linux kernel implementation of IPsec. Our attacks are realistic in their requirements, highly efficient, and recover the complete contents of IPsec-protected datagrams. Our attacks still apply when integrity protection is provided by a higher layer protocol, and in some cases even when it is supplied by IPsec itself.


IPsec integrity encryption ESP 


  1. 1.
    Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 1827 (August 1995)Google Scholar
  2. 2.
    Baker, F.: Requirements for IPv4 Routers. RFC 1812 (June 1995)Google Scholar
  3. 3.
    Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm. ACM TISSEC 7(2), 206–241 (2004)CrossRefzbMATHGoogle Scholar
  4. 4.
    Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bellovin, S.: Problem Areas for the IP Security Protocols. In: Proceedings of the Sixth Usenix Unix Security Symposium, San Jose, CA, pp. 1–16 (July 1996)Google Scholar
  7. 7.
    Borisov, N., Goldberg, I., Wagner, D.: Intercepting Mobile Communications: The Insecurity of 802.11. In: Proc. MOBICOM 2001, pp. 180–189. ACM Press, New York (2001)Google Scholar
  8. 8.
    Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password Interception in a SSL/TLS Channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Doraswamy, N., Harkins, D.: IPsec: the new security standard for the Internet, Intranets and Virtual Private Networks, 2nd edn. Prentice Hall PTR, Englewood Cliffs (2003)Google Scholar
  10. 10.
    Ferguson, N., Schneier, B.: A cryptographic evaluation of IPsec. Unpublished manuscript, available from:
  11. 11.
    Frankel, S., Glenn, R., Kelly, S.: The AES-CBC Cipher Algorithm and Its Use with IPsec. RFC 3602 (September 2003)Google Scholar
  12. 12.
    Frankel, S., Kent, K., Lewkowski, R., Orebaugh, A.D., Ritchey, R.W., Sharma, S.R.: Guide to IPsec VPNs, NIST Special Publication 800-77 (Draft) (January 2005)Google Scholar
  13. 13.
    Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (November 1998)Google Scholar
  14. 14.
    Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (November 1998)Google Scholar
  16. 16.
    Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 2406 (November 1998)Google Scholar
  17. 17.
    Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (obsoletes RFC 2401) (December 2005)Google Scholar
  18. 18.
    Kent, S.: IP Encapsulating Security Payload (ESP). RFC 4303 (obsoletes RFC 2406) (December 2005)Google Scholar
  19. 19.
    Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Internet Protocol. RFC 791 (September 1981)Google Scholar
  21. 21.
    Madson, C., Doraswamy, N.: The ESP DES-CBC Cipher Algorithm With Explicit IV. RFC 2405 (November 1998)Google Scholar
  22. 22.
    McCubbin, C.B., Selcuk, A.A., Sidhu, D.: Initialization vector attacks on the IPsec protocol suite. In: WETICE 2000, pp. 171–175. IEEE Computer Society, Los Alamitos (2000)Google Scholar
  23. 23.
    Nguyen, P.Q.: Can we trust cryptographic software? Cryptographic flaws in GNU Privacy Guard v1.2.3. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 555–570. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    NISCC Vulnerability Advisory IPSEC - 004033 (9th May 2005), available from:
  25. 25.
    Paterson, K.G., Yau, A.K.L.: Cryptography in Theory and Practice: The Case of Encryption in IPsec, extended version of this paper available from:
  26. 26.
    Pereira, R., Adams, R.: The ESP CBC-Mode Cipher Algorithms. RFC 2451 (November 1998)Google Scholar
  27. 27.
    Postel, J.: Internet Control Message Protocol. RFC 792 (September 1981)Google Scholar
  28. 28.
    Stubblebine, S., Gligor, V.: On Message Integrity in Cryptographic Protocols. IEEE Security and Privacy, 85–104 (May 1992)Google Scholar
  29. 29.
    Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS.. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  30. 30.
    Yu, T., Hartman, S., Raeburn, K.: The perils of unauthenticated encryption: Kerberos version 4. In: Proc. NDSS, The Internet Society (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Kenneth G. Paterson
    • 1
  • Arnold K. L. Yau
    • 1
  1. 1.Information Security Group, Royal HollowayUniversity of LondonEgham, SurreyUnited Kingdom

Personalised recommendations