[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG last call for IPv4 AH and ESP



I have no new issues about AH and ESP, but I do have some input on
authentication-only mode.  There's been a lot of discussion about whether
or not keyed MD5 or SHA are too expensive.  I was discussing the question
with Jim Reeds, a cryptographic mathematician here.  He suggests that
an approach of that sort is overkill.  A better idea, in his opinion,
is to use a comparatively weak but fast encryption algorithm (though
not an XOR-based stream cipher such as RC4 or OFB-mode DES) in conjunction
with a fast checksum algorithm.  The authentication value would be the
checksum of the ciphertext -- but you'd never send the ciphertext, only
the plaintext.  To deal with potential export issues for the source
code, modify the cipher so that was a (possibly weak) one-way function.
For example, a permuation could be replaced by a table look-up that lost
information.  The result wouldn't be decryptable short of (possibly
easy) cryptanalysis, and hence would not be readily usable as a cipher.

I should note, by the way, that in my opinion Jim Reeds' hunches on
cryptography are generally better than my careful analysis...


		--Steve Bellovin