Skip to main content

Cryptography in Theory and Practice: The Case of Encryption in IPsec

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 4004)


Despite well-known results in theoretical cryptography highlighting the vulnerabilities of unauthenticated encryption, the IPsec standards mandate its support. We present evidence that such “encryption-only” configurations are in fact still often selected by users of IPsec in practice, even with strong warnings advising against this in the IPsec standards. We then describe a variety of attacks against such configurations and report on their successful implementation in the case of the Linux kernel implementation of IPsec. Our attacks are realistic in their requirements, highly efficient, and recover the complete contents of IPsec-protected datagrams. Our attacks still apply when integrity protection is provided by a higher layer protocol, and in some cases even when it is supplied by IPsec itself.


  • IPsec
  • integrity
  • encryption
  • ESP

The work described in this paper was partly supported by the European Commission under contract IST-2002-507932 (ECRYPT). An extended version is available [25].

The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-34547-3_36


  1. Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 1827 (August 1995)

    Google Scholar 

  2. Baker, F.: Requirements for IPv4 Routers. RFC 1812 (June 1995)

    Google Scholar 

  3. Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm. ACM TISSEC 7(2), 206–241 (2004)

    CrossRef  MATH  Google Scholar 

  4. Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  5. Bellare, M., Rogaway, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  6. Bellovin, S.: Problem Areas for the IP Security Protocols. In: Proceedings of the Sixth Usenix Unix Security Symposium, San Jose, CA, pp. 1–16 (July 1996)

    Google Scholar 

  7. Borisov, N., Goldberg, I., Wagner, D.: Intercepting Mobile Communications: The Insecurity of 802.11. In: Proc. MOBICOM 2001, pp. 180–189. ACM Press, New York (2001)

    Google Scholar 

  8. Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password Interception in a SSL/TLS Channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  9. Doraswamy, N., Harkins, D.: IPsec: the new security standard for the Internet, Intranets and Virtual Private Networks, 2nd edn. Prentice Hall PTR, Englewood Cliffs (2003)

    Google Scholar 

  10. Ferguson, N., Schneier, B.: A cryptographic evaluation of IPsec. Unpublished manuscript, available from:

  11. Frankel, S., Glenn, R., Kelly, S.: The AES-CBC Cipher Algorithm and Its Use with IPsec. RFC 3602 (September 2003)

    Google Scholar 

  12. Frankel, S., Kent, K., Lewkowski, R., Orebaugh, A.D., Ritchey, R.W., Sharma, S.R.: Guide to IPsec VPNs, NIST Special Publication 800-77 (Draft) (January 2005)

    Google Scholar 

  13. Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (November 1998)

    Google Scholar 

  14. Katz, J., Yung, M.: Unforgeable encryption and chosen ciphertext secure modes of operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  15. Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (November 1998)

    Google Scholar 

  16. Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 2406 (November 1998)

    Google Scholar 

  17. Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (obsoletes RFC 2401) (December 2005)

    Google Scholar 

  18. Kent, S.: IP Encapsulating Security Payload (ESP). RFC 4303 (obsoletes RFC 2406) (December 2005)

    Google Scholar 

  19. Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (Or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  20. Internet Protocol. RFC 791 (September 1981)

    Google Scholar 

  21. Madson, C., Doraswamy, N.: The ESP DES-CBC Cipher Algorithm With Explicit IV. RFC 2405 (November 1998)

    Google Scholar 

  22. McCubbin, C.B., Selcuk, A.A., Sidhu, D.: Initialization vector attacks on the IPsec protocol suite. In: WETICE 2000, pp. 171–175. IEEE Computer Society, Los Alamitos (2000)

    Google Scholar 

  23. Nguyen, P.Q.: Can we trust cryptographic software? Cryptographic flaws in GNU Privacy Guard v1.2.3. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 555–570. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  24. NISCC Vulnerability Advisory IPSEC - 004033 (9th May 2005), available from:

  25. Paterson, K.G., Yau, A.K.L.: Cryptography in Theory and Practice: The Case of Encryption in IPsec, extended version of this paper available from:

  26. Pereira, R., Adams, R.: The ESP CBC-Mode Cipher Algorithms. RFC 2451 (November 1998)

    Google Scholar 

  27. Postel, J.: Internet Control Message Protocol. RFC 792 (September 1981)

    Google Scholar 

  28. Stubblebine, S., Gligor, V.: On Message Integrity in Cryptographic Protocols. IEEE Security and Privacy, 85–104 (May 1992)

    Google Scholar 

  29. Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS.. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  30. Yu, T., Hartman, S., Raeburn, K.: The perils of unauthenticated encryption: Kerberos version 4. In: Proc. NDSS, The Internet Society (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Paterson, K.G., Yau, A.K.L. (2006). Cryptography in Theory and Practice: The Case of Encryption in IPsec. In: Vaudenay, S. (eds) Advances in Cryptology - EUROCRYPT 2006. EUROCRYPT 2006. Lecture Notes in Computer Science, vol 4004. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34546-6

  • Online ISBN: 978-3-540-34547-3

  • eBook Packages: Computer ScienceComputer Science (R0)