Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward

[David A Wagner <daw@orodruin.cs.berkeley.edu>]

> Randall Atkinson (and Perry and myself and others) originally proposed
> keying in the most simple and obvious way -- H[key,length,data].
> 
> After analysis, we now know that the originally proposed construct is
> more secure than what the "theoreticians" repeatedly told us we needed
> to change.  As demonstrated within 6 months by other more capable
> theoreticians.

Technical nitpick:

I assume you are claiming that recent attacks on the envelope method
show that it's less secure than H[key,length,data] ??  If so, you're
mistaken.  (Is this really important, anyhow?)

The collision-based attacks of Preneel & van Oorschot which apply to
the envelope method also apply to H[key,length,data] in exactly the
same way.  Furthermore, the comments of Kaliski & Robshaw apply to the
H[key,length,data] construction (which notably has no padding after
the key): short messages might be vulnerable to certain techniques,
such as linear cryptanalysis.  The envelope method in RFC1828 is
strengthened against the short-message concern.

We're seeing incremental improvements in hash-based MAC technology due
to research by the cryptographers-- that much is apparent, I think.

Apolitically yours,
-- Dave Wagner

---

References:

• Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
• From: William Allen Simpson <wsimpson@greendragon.com>

---

• Prev by Date: Hugo tutors (Was: (IMPORTANT) ...)
• Next by Date: bump-in-the-stack encryptor paper
• Prev by thread: Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
• Next by thread: Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
• Index(es):
  • Main
  • Thread