[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-ipsec-ah-md5-00.txt

To: colin@nyx10.cs.du.edu
Subject: draft-ietf-ipsec-ah-md5-00.txt
From: hugo@watson.ibm.com
Date: Tue, 17 Jan 95 18:00:16 EST
Cc: IPSEC@ans.net

Ref:  Your note of Tue, 17 Jan 95 15:23:56 MST (attached)



 >
 > Oh, BTW... a CRC *is* a secure MAC if the polynomial and the MAC are
 > unknown to an attacker.  Given a few messages and MACs, it is easy to
 > find the GCD, which is the polynomial, but without, it's guesswork.
 > (This is from the folks who did the Strongbox secure loader at CMU -
 > they needed a *fast* secure hash.)
 > --
 > 	-Colin

Colin,

This statement, even if true, may confuse people. As you said,
the MAC (and polynomial) needs to be *unknown* to an attacker to be secure;
and then this is irrelevant to the IPSEC scenario where one needs
to transmit its value.
MOREOVER, even if you encrypt under a perfect one-time pad the CRC value
before transmitting (i.e., perfect encryption) then this authentication is
*not* secure. To make it secure you must append a number of zeros to the
message as the length of CRC before doing the polynomial division (or another
equivalent shift operation). For details, see my paper "LFSR-based hashing and
authentication" in Crypto'94.

Hugo

Prev by Date: Re: draft-ietf-ipsec-<many>-00.txt
Next by Date: draft-ietf-ipsec-<many>-00.txt
Prev by thread: Re: draft-ietf-ipsec-ah-md5-00.txt
Next by thread: Re: draft-ietf-ipsec-ah-md5-00.txt
Index(es):
- Main
- Thread