On Fri, May 30, 2025, 11:13 AM Ariel Burbaickij <ariel.burbaic...@gmail.com> wrote:
> Question: why wireshark cares so much about authentication algorithm in > this scenario, shouldn't it just decipher with all the information for it > available or what goes on here as in "potential bug" ? > The authentication algorithm is used to determine the size of the ICV that follows the encrypted data. (There are "combined" algorithms, like AES-GCM, where the Authentication algorithm must be specified as NULL in the table because it's defined as part of the algorithm.) Note that the UAT contains entries for "unspecified authentication algorithm that produces a X-bit ICV," used for the length that will never try authenticating. ESP, unlike some other protocols like SSH, does not contain a payload length field, either encrypted or unencrypted. If there is a ICV, there is no easy way to know when to stop or where the next header (next IP protocol) byte is; the decryption algorithm will "decrypt" the ICV and produce bogus data. (For SSH, one can if necessary decrypt the first block and then retrieve a length from there.) OTOH, unlike some other protocols, ESP explicitly contains the initialization vector (IV) (or "implicitly" with a few ciphers, but in a sense that it can be derived from the sequence number that is explicitly transmitted.) That means at least that decrypting too much in one packet would not have the decoder in the wrong state to decode the next packet (as in SSH or TLS.) One could decrypt as many blocks as fit into the payload, and then, similar to what is done with NULL encryption, count backwards from the end of the IP payload at various possible IV lengths and heuristically examine the bytes to see if they look like a reasonable next IP protocol value and padding bytes (for handing to another dissector.) This would sometimes produce false positives, as with NULL encryption. However, this seems like a waste of time to implement, considering that the cipher has to be manually configured to decrypt in the first place. It's trivial to also select the correct length of ICV / authentication algorithm. John Thacker >
_______________________________________________ Wireshark-dev mailing list -- wireshark-dev@wireshark.org To unsubscribe send an email to wireshark-dev-le...@wireshark.org
