[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-thayer-seccomp-00.txt

To: "H.Krawczyk" <hugo@watson.ibm.com>
Subject: Re: I-D ACTION:draft-thayer-seccomp-00.txt
From: "Perry E. Metzger" <perry@piermont.com>
Date: Fri, 09 Aug 1996 16:40:31 -0400
Cc: ipsec@TIS.COM
In-Reply-To: Your message of "Fri, 09 Aug 1996 16:28:48 EDT." <9608092028.AA24044@copacabana.watson.ibm.com>
Reply-To: perry@piermont.com
Sender: ipsec-approval@neptune.tis.com


"H.Krawczyk" writes:
>  > That probably lowers security in some environments. Folding in the
>  > length of the datagram makes it harder to fake a datagram with the
>  > same MAC.
> 
> A personal "historical" remark:
> 
> One of the design principles of HMAC was not to rely on prepended length.

Certainly. But not all MACs used by IPSEC will necessarily be as
robust as HMAC.

> All of this is not to say that certain MAC (like CBC-MAC or even HMAC 
> with some hash functions) couldn't be benefited from prepended length. But 
> in that case the MAC MUST include the prepended length as part of its 
> definition and not to rely on the particularities of the data being 
> authenticated.

Certainly at the very least one must mention in such a transform
document that one is explicitly relying on the length being present...

Perry

References:

Re: I-D ACTION:draft-thayer-seccomp-00.txt

From: "H.Krawczyk" <hugo@watson.ibm.com>

Prev by Date: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Next by Date: Re: Last Call: HMAC-IP (Truncated HMAC-SHA)
Prev by thread: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Next by thread: Re: I-D ACTION:draft-thayer-seccomp-00.txt
Index(es):
- Main
- Thread