[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH-MD5


hugo@watson.ibm.com says:
> I was saying that just a clarification in the draft is NOT enough
> (it is only the very minimal). What I want is that the function is
> defined to explicitely prepend the length of the information together with
> the key. That is, the length is prepended (not physically, but just
> to the computation) even if the length happens to be part of the information.

Just to clarify, the third and fourth octet of an IPv4 datagram always
contain the total length of the datagram in octets. If I understand
what Hugo is asking for correctly, he would like to prepend for
purposes of the MD5 computation two octets of length information to
the packet before MD5ing it even though the third and fourth octets
already contain this information.

I must confess that I don't understand what the point of this would
be. Could you or someone else explain how this would increase
security, or, if I am wrong about what you are proposing could you
clarify?

> PS: as for cryptographic "evidence" I can show you DES-based constructions
> of authentication functions that are trivially breakable with append-only
> and prepend-only but not  necessarily easy to break with prepend+append
> (i.e., I do not see an immediate way to break it).

Well, yes, I could construct such things too -- but what is under
consideration is a particular function, and I can't see a way to break
the proposed method without breaking MD5.

Now, please, understand that I am *not* wedded to particular ways of
doing this. I'm happy to see us incorporate any alternative method
proposed PROVIDED that there is evidence that it is cryptographically
superior to the proposed method and doesn't cost a prohibitive amount
to use. However, I must confess that I don't understand the point
behind several of the requests that have been made. Perhaps a bit more
formalism is needed.


Perry
Follow-Ups: