[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH-MD5
hugo@watson.ibm.com says:
> >> Hearing no objections -- delighted that the WG has come to quiet
> >> consensus.
> Just to break the *quiet* consenus: I personally would prefer to
> see a prepend+append MD5 for IP authentication.
> The reasons are a more robust security design, less plausible to
> suffer yet unknown vulnerabilities or implementation errors, at
> a very low cost compared to prepend only (notice that MD5, by definition,
> APPends the length of the information and I didn't see any claims
> that this causes any significant degradation in performance).
I support this proposal. However I too don't think it's crucial.
So - if you'd like to buy some extra security cheap, prepend and
append the key. If you don't care - probably you're still OK but...
> Moreover, I do think that this kind of decisions need to involve the
> security area directorate, especially since the question of which
> keyed-MD5 mode to use touches almost every security-related WG in IETF,
> and not just specific to IPSEC.
Well, in some cases (like SNMP I'm familiar with), the message is
encoded in ASN.1 and MD5 runs over the whole thing (with the key
somewhere inside the packet), then the key is substituted for the
digest obtained and the packet is sent out. Thus no exposure here.
Other users may find themselves in less secure position.
> Theoretically, even the prepend+append could be breakable
> while the prepend-only or append-only not (e.g., an attack on MD5
> that works only on information starting and ending with the same string),
> but this is highly improbable.
(:-) I'd be afraid rather of Birthday Paradox attack... (2^64)
--
Regards,
Uri uri@watson.ibm.com N2RIU
===========
<Disclamer>
References:
- AH-MD5
- From: hugo@watson.ibm.com