[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-thayer-seccomp-00.txt

To: perry@piermont.com
Subject: Re: I-D ACTION:draft-thayer-seccomp-00.txt
From: "H.Krawczyk" <hugo@watson.ibm.com>
Date: Fri, 9 Aug 1996 16:28:48 -0400
Cc: ipsec@TIS.COM
Sender: ipsec-approval@neptune.tis.com

Perry,

 >  
 > Bob Monsour writes:
 > > I would add that this does pose another problem for the environment where
 > > there may be a subsystem (say a chip or chipset) which takes an
 > > under-construction IP datagram as input and performs compression, encryption
 > > and AH MAC computation, outputting the complete IP datagram to be
 > > transmitted. Since the AH MAC is computed over the entire IP datagram, the
 > > datagram/payload length field of the packet is not known until after the
 > > data is compressed (prior to encryption). In order to avoid making multiple
 > > passes over the data, I would propose that the definition of the span of the
 > > MAC for AH eliminate the datagram/payload length field.
 > >
 > > Comments?
 >  
 > That probably lowers security in some environments. Folding in the
 > length of the datagram makes it harder to fake a datagram with the
 > same MAC.

A personal "historical" remark:

One of the design principles of HMAC was not to rely on prepended length.
Actually, my own involvement with MAC based on hash functions in IPSEC
started when the "official" proposal for AH was to use prepend-only key
(ie, MD5(K,data)) which *requires* prepended length (to prevent trivial
extension attacks).

The answer to this objection of mine by certain people in the group 
(I'm sure you remember) was that IP headers carry the length anyway. 
I tried to argue that relying on that was a security and engineering 
mistake: ``may be one day...'' went the argument.

The day is now here. A good lesson against security myopia

And by the way, in Jim Hughes' draft the header (and then length) is not
authenticated either.

All of this is not to say that certain MAC (like CBC-MAC or even HMAC 
with some hash functions) couldn't be benefited from prepended length. But 
in that case the MAC MUST include the prepended length as part of its 
definition and not to rely on the particularities of the data being 
authenticated.

Hugo

 >  
 > Perry

Follow-Ups:

Re: I-D ACTION:draft-thayer-seccomp-00.txt

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: Last Call: HMAC-IP (Truncated HMAC-SHA)
Next by Date: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Prev by thread: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Next by thread: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Index(es):
- Main
- Thread