[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AH-MD5

To: bsimpson@morningstar.com, IPSEC@ans.net
Subject: AH-MD5
From: hugo@watson.ibm.com
Date: Tue, 24 Jan 95 18:40:52 EST
Cc: jis@mit.edu

Ref:  Your note of Tue, 24 Jan 95 14:02:41 GMT

>> Hearing no objections -- delighted that the WG has come to quiet
>> consensus.

Just to break the *quiet* consenus: I personally would prefer to
see a prepend+append MD5 for IP authentication.

The reasons are a more robust security design, less plausible to
suffer yet unknown vulnerabilities or implementation errors, at
a very low cost compared to prepend only (notice that MD5, by definition,
APPends the length of the information and I didn't see any claims
that this causes any significant degradation in performance).

However, I am not going to "fight" for this if the rest of the
group feels comfortable with the prepend solution.
Moreover, I do think that this kind of decisions need to involve the
security area directorate, especially since the question of which
keyed-MD5 mode to use touches almost every security-related WG in IETF,
and not just specific to  IPSEC.

(BTW, In San Jose, in the SAAG meeting (at least in the minutes) it was
reported that an rfc on keyed MD5 will be written, and the existence
of a "vulnerability" was mentioned. Unfortunately I got no response
from the people I asked about the status of this document or the
kind of vulnerabilty they referred to.)

In my opinion, if the IETF goes for a "standard" prepend-MD5
they should define explicitely
that the length parameter is prepended to the computation
(say after the key) and not left to the "luck" of having or not
the length in a fixed offset in the information (as it "happens"
to be in the IP header).

Otherwise, we are inviting troubles by misuse of the function
(I must say that in some Internet drafts the need of the length
is made explicit but NOT the necessity of this length appearing
in the beginning - or at a fixed offset from the beginning -
of the MD5-ed information).

Append only is also an alternative (that does not require the
length specification and then more robust for secure implementation)
However, it is not necessarily more secure for authentication
than the prepend (key+length) option.
For example, if collisions are found in MD5 it would immediately
break the append mode but not necessarily the prepend.
Theoretically, even the prepend+append could be breakable
while the prepend-only or append-only not (e.g., an attack on MD5
that works only on information starting and ending with the same string),
but this is highly improbable.

Hugo

Follow-Ups:

Re: AH-MD5

From: uri@watson.ibm.com

Re: AH-MD5

From: Phil Karn <karn@qualcomm.com>

Use of Keyed MD5

From: Ran Atkinson <rja@bodhi.nrl.navy.mil>

Prev by Date: Re: AH-MD5
Next by Date: Re: AH-MD5
Prev by thread: AH-MD5
Next by thread: Re: AH-MD5
Index(es):
- Main
- Thread