[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
I'm on the road, and don't have a lot of time to reply here:
> From: smb@research.att.com
> Of course, all along the unanimous opinion of the cryptographic theoreticians
> has been that keyed hash functions were an unknown -- they weren't designed
> to do that, and it wasn't clear that they were secure in this mode. But
> we went ahead anyway.
>
Yes. And we then learned that the "theoreticians" got it wrong.
Randall Atkinson (and Perry and myself and others) originally proposed
keying in the most simple and obvious way -- H[key,length,data].
After analysis, we now know that the originally proposed construct is
more secure than what the "theoreticians" repeatedly told us we needed
to change. As demonstrated within 6 months by other more capable
theoreticians.
We made a mistake. We made changes without 2 or 3 years of review.
We should never have given in to the pressure.
I remind you who prompted that change:
Date: Tue, 24 Jan 95 18:40:52 EST
From: hugo@watson.ibm.com
To: bsimpson@MorningStar.Com, IPSEC@ans.net
Cc: jis@mit.edu
Subject: AH-MD5
Just to break the *quiet* consenus: I personally would prefer to
see a prepend+append MD5 for IP authentication.
The reasons are a more robust security design, less plausible to
suffer yet unknown vulnerabilities or implementation errors, at
a very low cost compared to prepend only (notice that MD5, by definition,
APPends the length of the information and I didn't see any claims
that this causes any significant degradation in performance).
Think about his claims in the light of new evidence.
> Note carefully: revision is *likely*. If we're going to change it, now is
> the time -- after it goes to Draft, it's too late for fixes of this nature
> (absent, say, the discovery of a feasible attack).
>
In retrospect, let me apply the wisdom posted to this list, that
prompted Perry and I to make the change to H[key,data,key] rather than
Kaliski's proposal:
Date: Tue, 14 Mar 95 15:28:27
From: "Housley, Russ" <housley@spyrus.com>
To: Hilarie Orman <ho@cs.arizona.edu>
Cc: ipsec@ans.net
Subject: Re[2]: End of WG Last Call for AH+MD5 and ESP+DES+3DES
Hilarie said:
I think that MD5(key, text, key) may be more secure than the double
hash. My understanding is that Kaliski's suggestion was based on the
idea that MD5(text) might be a useful subfunction. However, I'm
uneasy at the idea of a possible cryptanalysis of MD5(foo,key); not a
question I've seen examined before.
MD5(key,data,key) is one of the few things we had concensus about. Burt
did not say that this was weak, rather he said that the other had more
study behind it.
I think that we should keep MD5(key,data,key) because it an be computed
with one function invocation when implemented in hardware.
MD5(MD5(data),key) will require two function invocations in hardware
implementations.
We now know a very formal analysis shows an IMPRACTICAL attack on
H[key,data,key]. But, between the 2 choices, practicality was a
principle consideration.
That is one of the reasons that DES was chosen over 3DES as required to
implement. Yes, we know it's weaker than we'd like. But we _know_ the
weaknesses. And it's strong enough for practical purposes.
Now, if we wait long enough, we might find even better choices. We have
something that works. There is no hurry!
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: