[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Results of quick survey

Regarding the issue of HMAC SHA-1 versus HMAC MD5 and the mandatory
transform for ESP ....

During the discussion of the combined ESP DES-CBC, HMAC + Replay
Prevention transform at the LA IPSEC, there was a question on whether
the ICV (HMAC Residual) should be encrypted or unencrypted by ESP.

The desire for the ICV to be unencrypted is credited to Phil Karn in
his desire to lessen the impact of flooding (aka "clogging") attacks
where the receiver would be required to spend lots of time decrypting
bogus packets that could be dealt with more efficiently, and discarded
if bogus, by a less intensive MAC check.  If I recall correctly, Phil
announced at LA that as far as he was now concerned, this no longer
was an issue becasue he could run DES as fast as MD5 and therefore
unencrypting a packet was no big deal.  An issue: is this also the
case for DES vs SHA-1 and therefore we still don't care?

What I don't remember was the group coming to any consensus regarding
which way to go.  The current version of the transform
(draft-ietf-ipsec-esp-des-md5-01.txt) still has the ICV unencrypted.
Given the recent turmoil over the cryptographic weakness of MD5,
doesn't it make sense to limit the exposure of whichever MAC algorithm
used to any future cryptographic attacks by encrypting the ICV?


Regards,

Howie Weiss

 ________________________________________________________________________
|                                                                        |
|  Howard Weiss                            phone (410) 381-9400 x201     |
|  SPARTA, Inc.                                  (301) 621-8145 x201 (DC)|
|  9861 Broken Land Parkway, suite 300     fax:  (410) 381-5559          |
|  Columbia, MD 21046                      email: hsw@columbia.sparta.com|
|________________________________________________________________________|
Follow-Ups: