Re: AH HMAC * Last Call

["David P. Kemp" <dpkemp@missi.ncsc.mil>]

>Steve Bellovin has asked that both AH HMAC MD5 and AH HMAC SHA be
>made mandatory to implement.  If others agree/disagree, that should
>be included in your WG Last Call response so Paul and I know what
>the consensus is.

I believe that HMAC SHA should be mandatory and HMAC MD5 should be optional.
There may be performance reasons for preferring MD5 (although Joe
Touch's recent data imply that both hashes are poor for ethernet MTUs
due to long setup times), so MD5 certainly should not be removed as
an option.

But making it mandatory sends the wrong message in a protocol designed
to be at the heart of Internet security.  Conservative design would
dictate that only the "most secure" option be mandatory, while still
allowing implementors to make performance tradeoffs if they feel it's
in their best interests.

It appears *at this time* that the HMAC construct is powerful enough
to resist Dobbertin's attacks against MD5.  But there must be a limit
to the ability of HMAC to hide weaknesses in the hash function - I
wouldn't expect AH-HMAC-CRC16, for example, to be a useful mode :-).
Based on current knowledge, it is reasonable to predict that MD5 will
fall to a level where HMAC can't protect it before that happens to SHA.

It is true that making MD5 mandatory to implement does not take away
anyone's option to not use it.  But a standards-track protocol will be
at least referenced, if not read, by people with a wide range of
expertise.  The mandatory status of an algorithm will be easily understood
by those not necessarily familiar with the qualifications attached to
its use. For this reason MD5 should be optional.

---

• Prev by Date: Re: AH HMAC * Last Call
• Next by Date: MD5 vs. SHA-1, Selection Criteria
• Prev by thread: Re: AH HMAC * Last Call
• Next by thread: Re: AH HMAC * Last Call
• Index(es):
  • Main
  • Thread