[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward

To: ipsec@TIS.COM
Subject: Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
From: William Allen Simpson <wsimpson@greendragon.com>
Date: Sat, 2 Mar 96 11:23:26 GMT
Sender: ipsec-request@neptune.tis.com

> From: David A Wagner <daw@orodruin.cs.berkeley.edu>
> I assume you are claiming that recent attacks on the envelope method
> show that it's less secure than H[key,length,data] ??  If so, you're
> mistaken.  (Is this really important, anyhow?)
>
Hmmm, we can put our heads together and compare at LA, but looking at
"MDx-MAC" proposition 4 (page 6), finding internal collisions, but no
key recovery (yet):
   /
  / 2/(s+1) * 2 ** 64           for H[key,length,data]
\/

versus "Two MAC" proposition 2 (page 5), with key recovery:
   /
  / 2 * 2 ** 64                 for H[key,data,key]
\/

Seems much weaker to me....


> Furthermore, the comments of Kaliski & Robshaw apply to the
> H[key,length,data] construction (which notably has no padding after
> the key): short messages might be vulnerable to certain techniques,
> such as linear cryptanalysis.

Actually, Atkinson's initial key was always padded (since 1993).
Although we argued about whether it should be to 128-bits or 512-bits.
The consideration was always for efficiency, however; promoted block
alignment for IPng and allowed precomputation.

And as you may remember, Metzger and I were whipsawed back and forth on
the key padding issue by the crypto-theoreticians for several months!
I can refer you to messages from Colin Plumb, Eric Rains, Burt Kaliski,
Russ Housley, Hilary Orman, Rich Schroeppel, and of course the
ubiquitous IBM trio of Amir, Hugo and Uri.


> The envelope method in RFC1828 is
> strengthened against the short-message concern.
>
Yes.  And I thank you for the contribution.  But the reason that it was
so easily accepted was it fit with precomputation, and was easy to code!


> We're seeing incremental improvements in hash-based MAC technology due
> to research by the cryptographers-- that much is apparent, I think.
>
Yes.  I don't see any reason to leap off to yet another transform
without considerable validation by multiple analysts.

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: bump-in-the-stack encryptor paper
Next by Date: Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
Prev by thread: Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
Next by thread: Re: (IMPORTANT) Call for AH-MD5 and ESP-DES to move forward
Index(es):
- Main
- Thread