[dns-operations] IP address encryption: pseudonymization

Paul Hoffman phoffman at proper.com
Sun Feb 25 15:59:26 UTC 2018

On 25 Feb 2018, at 4:21, bert hubert wrote:

> I've not been able to determine if the weaknesses discussed on the 
> CFRG list
> are worse than the inherent limitations of IP address pseudonymization 
> or
> not.

If only it was that simple. As you can see from the thread on CFRG, 
there are other methods that do not have the inherent limitations of 
ipcrypt: instead, they have different ones.

The easiest one to describe is 
truncate_to_32_bits(aes_128(message=padded_ipv4, key=128_bit_random)). 
You cannot determine the key even with a huge number of known pairs. 
However, you get collisions in the output. So, if you have 4 million 
unique input addresses, about .1% of the output addresses will look like 
one source of input when in fact they are two sources mixed together.

> I've also taken a look at FF2/FF3 as noted there but have not been 
> able to
> find out the patent status of these algorithms. At the very least 
> there
> appears to a cloud of worry hanging over them.

There are definitely IPR worries, yes. Also, I hope you mean "FF1/FF3". 
NIST determined there was a security reduction in FF2.

--Paul Hoffman

More information about the dns-operations mailing list