[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IP Authentication using Keyed MD5 / The ESP DES-CBC Transform

To: Bart.Preneel@esat.kuleuven.ac.be, ipsec@ans.net
Subject: IP Authentication using Keyed MD5 / The ESP DES-CBC Transform
From: hugo@watson.ibm.com
Date: Mon, 3 Jul 95 18:42:58 EDT
Cc: preneel@esat.kuleuven.ac.be

Ref:  Your note of Mon, 3 Jul 1995 18:53:13 +0200

PS to my response to Preneel's note:

I omitted the following comment related to the pseudorandomness condition
on the keyed compression function of MD5 and to the construction
MD5_K(MD5_K(text)).
For the above construction to be a good MAC the requirement of pseudorandomness
can be traded for two requirements each of which is weaker than
pseudorandomness.

The first is the compression function being a MAC. This is significantly
weaker condition than being pseudorandom, in particular, statistical
weaknesses of the output do not necessarily imply a weakness as MAC.
(Let me note that the compression function just being a MAC is no guarantee
for the iterative construction to be a MAC. It seems intuitively as a
*necessary* requirement, although a proof of that will depend on the particular
way the compression function is used in a given construction).

The second requirement is that the internal application of MD5_K(text)
be collision-resistant against an adversary that does not know K.
Notice that this requirement applies to the iterated MD5_K function,
not just the compression function.
This is weaker than requiring that the compression function is
pseudorandom, and weaker also than the traditional requirement
of collision resistance with known IVs.

The above second requirement is yet to be formalized, and the exact
(quantified) security relations between the above assumptions and
the quality of the resultant MAC to be derived.
However, when purely heuristic arguments are considered (and much
of this discussion is carried in pure heuristic terms -- much more than
I'd like) the above combination of assumptions must be considered seriously.

This is an important consideration behind MD5_K1(MD5_K2(text)).
In this case the external MD5_K1 (which involves only one application
of the keyed compression function) is assumed to be a MAC function,
while the internal application of (iterated) MD5 is assumed to be
collision resistant when used with a secret key K2.
Intuitively, if one can forge authenticated messages under the composed
construction then one can either find collisions in the internal MD5_K2
(with random and secret K2) or break the external MD5_K1 as a MAC.
The key-pad-text-key is a "dirty" approximation to this construction.
The prepended key acts as the internal K2, and the appended key as
the external K1.

Hugo

Prev by Date: IP Authentication using Keyed MD5 / The ESP DES-CBC Transform
Next by Date: Re: response to Last Call on: IP Authentication using Keyed MD5
Prev by thread: IP Authentication using Keyed MD5 / The ESP DES-CBC Transform
Next by thread: MD5 for authentication article in RSA's "CryptoBytes"
Index(es):
- Main
- Thread