[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AH-MD5

To: perry@imsi.com, bsimpson@morningstar.com, ipsec@ans.net
Subject: AH-MD5
From: hugo@watson.ibm.com
Date: Wed, 25 Jan 95 14:31:32 EST

Ref:  Your note of Wed, 25 Jan 1995 11:38:00 -0500 (attached)

 > From: "Perry E. Metzger" <perry@imsi.com>

 > In fact, because you and Ted Tso asked, we've already inserted that
 > sort of language into the next draft. As I said before, I thought the
 > suggestion was very good.  We are being quite explicit in the document
 > that the length is a necessary part of the security.  The language
 > will make it very clear that any system which does not have the length
 > at a fixed position in the block isn't secure.
 >

I was saying that just a clarification in the draft is NOT enough
(it is only the very minimal). What I want is that the function is
defined to explicitely prepend the length of the information together with
the key. That is, the length is prepended (not physically, but just
to the computation) even if the length happens to be part of the information.
(This is analogous to MD5 definition which APPends the length to the
computation regardless of whether the length parameter happened to be
written inside the information or not).

Besides, as said before by many, appending is no big deal (in particular,
does not require the key prepend) and leaves a better margin for security.

Hugo

PS: as for cryptographic "evidence" I can show you DES-based constructions
of authentication functions that are trivially breakable with append-only
and prepend-only but not  necessarily easy to break with prepend+append
(i.e., I do not see an immediate way to break it).

Prev by Date: Re[2]: AH-MD5
Next by Date: I-D ACTION:draft-metzger-ah-md5-01.txt
Prev by thread: Re: Re[2]: AH-MD5
Next by thread: Re: AH-MD5
Index(es):
- Main
- Thread