[strongSwan] A few questions about ciphers

Raoul Duke rduke496 at gmail.com
Tue Dec 2 02:48:03 CET 2014 

Hi,

A couple of questions about ciphers.

According to this resource:

* the default for esp is: aes128-sha1,3des-sha1.
* the default for ike is: aes128-sha1-modp2048,3des-sha1-modp1536

When I log configured proposals for ESP (on a connection client) I see:

configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ

The first 2 seem to jibe with the documentation.  But what is the big
long third option?  Is this some kind of wildcard/fall-through?

I see something similar for IKE:

configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192

Again - the first 2 agree with the doc but then there is the longish
third option.  Can you please give some info on the third option?

2] for an IOS client I noticed that the following proposal:

received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

Which ended up in the following selection (based on the default settings):

ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ

If I wanted to enable the 256 version of the above would I do something like:

esp=aes256-sha1!

Is there any specific reason that the defaults are 128 and not 256?
it seems like 256 is thought of as being more secure (when users go
off and read some basic stuff about key sizes and form the conclusion
that 256 is better based on scare story factoids).  To what extent is
the choice of default a speed vs security trade-off?  Or a backwards
compatibility one?

Also - what is the significance of the SHA1 part of the cipher.
Again, I have recently had the experience that SHA1 is no longer
recommended when making certificates.  Is that a relevant factor here?
 I guess what I'm really asking is: what is the hash used for in this
case.  In any case it seems like SHA1 is all the IOS device proposes
so the decision is not in my hands.

As a general question: ESP is data traffic and IKE is
control/management traffic,  right?  To what extent is the choice of
ciphers important to one vs the other?

Forgive if any of these questions seem overly generic or lacking in
context - I'm just trying to educate my users with a statement on the
strength of the encryption and reassure them about the choice of key
sizes.

Thanks.

More information about the Users mailing list