[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: technical clarification request to RFC-1828.

To: ipsec@neptune.tis.com
Subject: Re: technical clarification request to RFC-1828.
From: Lewis McCarthy <lew@cs.cornell.edu>
Date: Thu, 29 Feb 1996 21:15:42 -5300 (EST)
In-Reply-To: <199603010003.QAA23756@puli.cisco.com>
Sender: ipsec-request@neptune.tis.com

Paul Traina <pst@cisco.com> writes:
> My issue is entirely based upon what I consider to be an inadequate
> specification of the padding of the initial key.
[...]
> The RFC does not mis-specify the method of padding, merely it specifies it
> inadequately.
[..]
> I think some simple pseudo-code would be enough, as long as the "revision"
> to the RFC1323 MD5Final routine was *strongly* noted.

(I went digging through a stack of papers before I realized you meant 1321 :)

OK, so essentially you seem to be suggesting a clarification (in the RFC) of
the following phrasing in Section 2 of 1828:

	"First, the variable length secret authentication key is filled
	to the next 512-bit boundary, using the same pad with length
	technique defined for MD5."

How about rephrasing it as:

	"...512-bit boundary, using the padding technique defined in 
	subsections 3.1 and 3.2 of the MD5 specification [RFC-1321]."

I think that makes the method clear, since the relevant parts of MD5Final
are conveniently separately numbered in 1321. Would pseudo-code still be
preferable in addition to (or instead of) rephrasing like this ?

Just to add fuel to the fire, I think the discussion of key length in 1828, 
subsection 1.1, could stand slight revision. In particular, I think the
last sentence

	"Longer keys are encouraged."

is ambiguous. Certainly, longer keys up to 128 bits in length should be 
encouraged versus shorter keys. But as I understand things, the security of 
this envelope construction is not increased by using a key with more than
128 bits of entropy, since MD5 only generates a 128-bit hash. (This is
already reflected to some extent in the 1828 Security Considerations section,
where the van Oorschot/Wiener MD5 supercollider is discussed.) If the key is 
only pseudorandom, however, then length(key) > 128 may be desirable to ensure 
at least 128 bits of entropy are present. 

The Security Considerations section already notes that the specification's 
security depends on the strength of MD5 and "the strength of the key". I am 
proposing a more explicit acknowledgement that keys longer than 128 bits are
only helpful under certain assumptions about their non-randomness, as a
result of the other two considerations.

-Lewis	<lew@cs.cornell.edu> (until mid-May)

References:

technical clarification request to RFC-1828.

From: Paul Traina <pst@cisco.com>

Prev by Date: Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
Next by Date: Comments on DSS Certificate RFC
Prev by thread: technical clarification request to RFC-1828.
Next by thread: Comments on DSS Certificate RFC
Index(es):
- Main
- Thread