[strongSwan] nonce Length

Jafar Al-Gharaibeh jafar at atcorp.com
Fri Sep 15 06:26:26 CEST 2017


On 9/14/2017 11:53 AM, Andreas Steffen wrote:
> Hi Jafar,
>
> the mandatory nonce plugin is a nonce generator which returns
> the requested number of random bytes. There are many other places in
> the strongSwan code where nonces of variable size are needed
> (e.g. for the IKE SPI or for the TLS client or server Hello).

Sure, my first grep -r "nonce" returned  hundreds if not thousands of 
results.

Thanks again for the explanation, and also for the great work of 
StrongSwan team.

Kind Regards,
Jafar

> Kind regards
>
> Andreas
>
> On 14.09.2017 17:28, Jafar Al-Gharaibeh wrote:
>> Hi Andreas,
>>
>>     Thanks for the quick and thorough answer. I did not find that piece
>> of information (nonce size) in the documentation, but as you noted about
>> the source code, I did download and dig through the source code
>> yesterday and came across the the 32 byte number. Thanks for confirming
>> that.
>>
>>     I also came across nonce plugin configuration:
>>     nonce {
>>     }
>>
>> Is there really any thing configurable here or is that just there for
>> completeness?
>>
>> Kind Regards,
>> Jafar
>>
>> On 9/14/2017 1:56 AM, Andreas Steffen wrote:
>>> Hi Jafar,
>>>
>>> section 2.10 of IKEv2 RFC 7296 [1] states that
>>>
>>>     Nonces used in IKEv2
>>>     MUST be randomly chosen, MUST be at least 128 bits in size, and 
>>> MUST
>>>     be at least half the key size of the negotiated pseudorandom 
>>> function
>>>     (PRF).  However, the initiator chooses the nonce before the outcome
>>>     of the negotiation is known.  Because of that, the nonce has to be
>>>     long enough for all the PRFs being proposed.
>>>
>>> This is why strongSwan generates nonces with a constant size of 32 
>>> bytes
>>> (256 bits) as defined in nonce_payloads.h [2]
>>>
>>>    /**
>>>     * Nonce size in bytes for nonces sending to other peer.
>>>     */
>>>    #define NONCE_SIZE 32
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> [1]https://tools.ietf.org/html/rfc7296#section-2.10
>>> [2]https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/encoding/payloads/nonce_payload.h;h=ee8ad17f789ed4fe6a2e3476fc710b79d74885aa;hb=HEAD#l30 
>>>
>>>
>>>
>>> On 13.09.2017 20:37, Jafar Al-Gharaibeh wrote:
>>>> Hi,
>>>>
>>>>     What is the default length of the nonce used  to establish and 
>>>> rekey
>>>> IKE/Child SAs?  is that based on the DH group? and is the length
>>>> configurable?
>>>>
>>>> Thanks,
>>>> Jafar
>>> ======================================================================
>>> Andreas Steffen andreas.steffen at strongswan.org
>>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>>> Institute for Networked Solutions
>>> HSR University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[INS-HSR]==
>>>
>>
>



More information about the Users mailing list