Re: [strongSwan] nonce Length
On 9/14/2017 11:53 AM, Andreas Steffen wrote:
Hi Jafar,
the mandatory nonce plugin is a nonce generator which returns
the requested number of random bytes. There are many other places in
the strongSwan code where nonces of variable size are needed
(e.g. for the IKE SPI or for the TLS client or server Hello).
Sure, my first grep -r "nonce" returned hundreds if not thousands of
results.
Thanks again for the explanation, and also for the great work of
StrongSwan team.
Kind Regards,
Jafar
Kind regards
Andreas
On 14.09.2017 17:28, Jafar Al-Gharaibeh wrote:
Hi Andreas,
Thanks for the quick and thorough answer. I did not find that piece
of information (nonce size) in the documentation, but as you noted about
the source code, I did download and dig through the source code
yesterday and came across the the 32 byte number. Thanks for confirming
that.
I also came across nonce plugin configuration:
nonce {
}
Is there really any thing configurable here or is that just there for
completeness?
Kind Regards,
Jafar
On 9/14/2017 1:56 AM, Andreas Steffen wrote:
Hi Jafar,
section 2.10 of IKEv2 RFC 7296 [1] states that
Nonces used in IKEv2
MUST be randomly chosen, MUST be at least 128 bits in size, and
MUST
be at least half the key size of the negotiated pseudorandom
function
(PRF). However, the initiator chooses the nonce before the outcome
of the negotiation is known. Because of that, the nonce has to be
long enough for all the PRFs being proposed.
This is why strongSwan generates nonces with a constant size of 32
bytes
(256 bits) as defined in nonce_payloads.h [2]
/**
* Nonce size in bytes for nonces sending to other peer.
*/
#define NONCE_SIZE 32
Best regards
Andreas
[1]https://tools.ietf.org/html/rfc7296#section-2.10
[2]https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/encoding/payloads/nonce_payload.h;h=ee8ad17f789ed4fe6a2e3476fc710b79d74885aa;hb=HEAD#l30
On 13.09.2017 20:37, Jafar Al-Gharaibeh wrote:
Hi,
What is the default length of the nonce used to establish and
rekey
IKE/Child SAs? is that based on the DH group? and is the length
configurable?
Thanks,
Jafar
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==
Re: [strongSwan] nonce Length
Hi Jafar,
the mandatory nonce plugin is a nonce generator which returns
the requested number of random bytes. There are many other places in
the strongSwan code where nonces of variable size are needed
(e.g. for the IKE SPI or for the TLS client or server Hello).
Kind regards
Andreas
On 14.09.2017 17:28, Jafar Al-Gharaibeh wrote:
Hi Andreas,
Thanks for the quick and thorough answer. I did not find that piece
of information (nonce size) in the documentation, but as you noted about
the source code, I did download and dig through the source code
yesterday and came across the the 32 byte number. Thanks for confirming
that.
I also came across nonce plugin configuration:
nonce {
}
Is there really any thing configurable here or is that just there for
completeness?
Kind Regards,
Jafar
On 9/14/2017 1:56 AM, Andreas Steffen wrote:
Hi Jafar,
section 2.10 of IKEv2 RFC 7296 [1] states that
Nonces used in IKEv2
MUST be randomly chosen, MUST be at least 128 bits in size, and MUST
be at least half the key size of the negotiated pseudorandom function
(PRF). However, the initiator chooses the nonce before the outcome
of the negotiation is known. Because of that, the nonce has to be
long enough for all the PRFs being proposed.
This is why strongSwan generates nonces with a constant size of 32 bytes
(256 bits) as defined in nonce_payloads.h [2]
/**
* Nonce size in bytes for nonces sending to other peer.
*/
#define NONCE_SIZE 32
Best regards
Andreas
[1]https://tools.ietf.org/html/rfc7296#section-2.10
[2]https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/encoding/payloads/nonce_payload.h;h=ee8ad17f789ed4fe6a2e3476fc710b79d74885aa;hb=HEAD#l30
On 13.09.2017 20:37, Jafar Al-Gharaibeh wrote:
Hi,
What is the default length of the nonce used to establish and rekey
IKE/Child SAs? is that based on the DH group? and is the length
configurable?
Thanks,
Jafar
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [strongSwan] nonce Length
Hi Andreas,
Thanks for the quick and thorough answer. I did not find that piece
of information (nonce size) in the documentation, but as you noted about
the source code, I did download and dig through the source code
yesterday and came across the the 32 byte number. Thanks for confirming
that.
I also came across nonce plugin configuration:
nonce {
}
Is there really any thing configurable here or is that just there for
completeness?
Kind Regards,
Jafar
On 9/14/2017 1:56 AM, Andreas Steffen wrote:
Hi Jafar,
section 2.10 of IKEv2 RFC 7296 [1] states that
Nonces used in IKEv2
MUST be randomly chosen, MUST be at least 128 bits in size, and MUST
be at least half the key size of the negotiated pseudorandom function
(PRF). However, the initiator chooses the nonce before the outcome
of the negotiation is known. Because of that, the nonce has to be
long enough for all the PRFs being proposed.
This is why strongSwan generates nonces with a constant size of 32 bytes
(256 bits) as defined in nonce_payloads.h [2]
/**
* Nonce size in bytes for nonces sending to other peer.
*/
#define NONCE_SIZE 32
Best regards
Andreas
[1]https://tools.ietf.org/html/rfc7296#section-2.10
[2]https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/encoding/payloads/nonce_payload.h;h=ee8ad17f789ed4fe6a2e3476fc710b79d74885aa;hb=HEAD#l30
On 13.09.2017 20:37, Jafar Al-Gharaibeh wrote:
Hi,
What is the default length of the nonce used to establish and rekey
IKE/Child SAs? is that based on the DH group? and is the length
configurable?
Thanks,
Jafar
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==
Re: [strongSwan] nonce Length
Hi Jafar, section 2.10 of IKEv2 RFC 7296 [1] states that Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 bits in size, and MUST be at least half the key size of the negotiated pseudorandom function (PRF). However, the initiator chooses the nonce before the outcome of the negotiation is known. Because of that, the nonce has to be long enough for all the PRFs being proposed. This is why strongSwan generates nonces with a constant size of 32 bytes (256 bits) as defined in nonce_payloads.h [2] /** * Nonce size in bytes for nonces sending to other peer. */ #define NONCE_SIZE 32 Best regards Andreas [1]https://tools.ietf.org/html/rfc7296#section-2.10 [2]https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/encoding/payloads/nonce_payload.h;h=ee8ad17f789ed4fe6a2e3476fc710b79d74885aa;hb=HEAD#l30 On 13.09.2017 20:37, Jafar Al-Gharaibeh wrote: > Hi, > >What is the default length of the nonce used to establish and rekey > IKE/Child SAs? is that based on the DH group? and is the length > configurable? > > Thanks, > Jafar == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]==
[strongSwan] nonce Length
Hi, What is the default length of the nonce used to establish and rekey IKE/Child SAs? is that based on the DH group? and is the length configurable? Thanks, Jafar
