[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH-MD5

To: "Housley, Russ" <rhousley@spyrus.com>
Subject: Re: AH-MD5
From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 27 Jan 1995 18:07:24 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Fri, 27 Jan 1995 13:00:16." <9500277912.AA791240416@spysouth.spyrus.com>
Reply-To: perry@imsi.com


"Housley, Russ" says:
> Hugo said: "Still my cryptographic feelings are inclined to prepend+append 
> but then the extra computation -even if quite insignificant- is harder to 
> justify."
> 
> Well, I think that it is easy to justify.  Given the tiny amount of 
> processing that we are discussing, it is far better to error on the safe 
> side of the decision.  Let's just adopt prepend+data+append and move on.

Not so fast...

I'm not opposed to changing the spec per se, but I am opposed to
intuition-based specification writing. If it made someone get warm
fuzzies for us to append the word "FOO" in ASCII to the end of every
packet, that wouldn't be cause enough to do it -- we would need
justification -- a reasonable argument.

I still haven't heard any reasonable argument on why a prepend-only
keyed MD5 with the data length at a fixed position in the packet
wouldn't be secure. Appending the key was purely a mechanism to stop
appending attacks and the length being in the packet stops
those. Arguments have been made that, given our lack of understanding
in depth of the security of MD5, we might be in trouble -- but if MD5
is good, we should be fine, and if MD5 is not good, then we shouldn't
be using it at all.

We've also heard arguments from Hugo to the effect that he wants a
security function that would work for things other than IP packets,
but he hasn't presented any arguments that we are insecure -- just
unpleasing to his aesthetics unless the function could be used on
arbitrary data and not just on IP packets. (This is not to say that
aesthetics isn't important but no one else has had this aesthetic
problem so I'd say he's in the minority right now.)

Does anyone have a concrete argument against the security of MD5 used
as we are using it? Not aesthetic concerns, not "well, we don't know
if MD5 is secure" (because if it isn't we should just scrap it,
period!). I'm looking for an argument of the form...

"If we define our function as we have, then an opponent can do X and Y
and then spoof packets".

Perry

Follow-Ups:

Re: AH-MD5

From: Theodore Ts'o <tytso@MIT.EDU>

References:

Re: AH-MD5

From: "Housley, Russ" <rhousley@spyrus.com>

Prev by Date: Re: Use of Keyed MD5
Next by Date: Minor wording changes to draft-metzger-ah-00.txt
Prev by thread: Re: AH-MD5
Next by thread: Re: AH-MD5
Index(es):
- Main
- Thread