[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
> From: David A Wagner <daw@orodruin.cs.berkeley.edu>
> I assume you are claiming that recent attacks on the envelope method
> show that it's less secure than H[key,length,data] ?? If so, you're
> mistaken. (Is this really important, anyhow?)
>
Hmmm, we can put our heads together and compare at LA, but looking at
"MDx-MAC" proposition 4 (page 6), finding internal collisions, but no
key recovery (yet):
/
/ 2/(s+1) * 2 ** 64 for H[key,length,data]
\/
versus "Two MAC" proposition 2 (page 5), with key recovery:
/
/ 2 * 2 ** 64 for H[key,data,key]
\/
Seems much weaker to me....
> Furthermore, the comments of Kaliski & Robshaw apply to the
> H[key,length,data] construction (which notably has no padding after
> the key): short messages might be vulnerable to certain techniques,
> such as linear cryptanalysis.
Actually, Atkinson's initial key was always padded (since 1993).
Although we argued about whether it should be to 128-bits or 512-bits.
The consideration was always for efficiency, however; promoted block
alignment for IPng and allowed precomputation.
And as you may remember, Metzger and I were whipsawed back and forth on
the key padding issue by the crypto-theoreticians for several months!
I can refer you to messages from Colin Plumb, Eric Rains, Burt Kaliski,
Russ Housley, Hilary Orman, Rich Schroeppel, and of course the
ubiquitous IBM trio of Amir, Hugo and Uri.
> The envelope method in RFC1828 is
> strengthened against the short-message concern.
>
Yes. And I thank you for the contribution. But the reason that it was
so easily accepted was it fit with precomputation, and was easy to code!
> We're seeing incremental improvements in hash-based MAC technology due
> to research by the cryptographers-- that much is apparent, I think.
>
Yes. I don't see any reason to leap off to yet another transform
without considerable validation by multiple analysts.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2