[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG last call for IPv4 AH and ESP
I have no new issues about AH and ESP, but I do have some input on
authentication-only mode. There's been a lot of discussion about whether
or not keyed MD5 or SHA are too expensive. I was discussing the question
with Jim Reeds, a cryptographic mathematician here. He suggests that
an approach of that sort is overkill. A better idea, in his opinion,
is to use a comparatively weak but fast encryption algorithm (though
not an XOR-based stream cipher such as RC4 or OFB-mode DES) in conjunction
with a fast checksum algorithm. The authentication value would be the
checksum of the ciphertext -- but you'd never send the ciphertext, only
the plaintext. To deal with potential export issues for the source
code, modify the cipher so that was a (possibly weak) one-way function.
For example, a permuation could be replaced by a table look-up that lost
information. The result wouldn't be decryptable short of (possibly
easy) cryptanalysis, and hence would not be readily usable as a cipher.
I should note, by the way, that in my opinion Jim Reeds' hunches on
cryptography are generally better than my careful analysis...
--Steve Bellovin