ipcdn-0----Page:28
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
|
(FYI) BPI+ MIB Draft Changes Draft 15 Status RFC Queued: Rooted by IANA as OID 126, http://www.iana.org/assignments/smi-numbers Agreed text for security section on privacy and confidentiality weakness in the BPI+ MIB Module. (RFC-Editor note) BPI+ Encryption Algorithms section: The BPI+ Traffic Encryption Keys (TEK) defined in the DOCSIS BPI+ specification [1] use 40-bit or 56-bit DES for encryption (DES CBC mode). There is currently no mechanism or algorithm defined for data integrity. Due to the DES cryptographic weaknesses, future revisions of the DOCSIS BPI+ specification should introduce more advanced encryption algorithms as proposed in the DocsBpkmDataEncryptAlg textual convention to overcome the progress in cheaper and faster hardware or software decryption tools. Future revisions of the DOCSIS BPI+ specification [1] should also adopt authentication algorithms as described in DocsBpkmDataAuthentAlg textual convention. It is important to note that frequent key changes do not necessarily help to mitigate or reduce the risks of a DES attack. Indeed, the traffic encryption keys which are configured on a per cable modem basis and per BPI+ multicast group can be utilized to decrypt old traffic even when they are no longer in active use. Note that not exempt of the same recommendations as above, the CM BPI+ authorization protocol uses triple DES encryption, which offers improved robustness compared to DES for CM authorization and TEK re-key management. |