[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of IPSEC Key Management



> I would like to raise a related issue. Current cryptographic mechanisms tend
> to go towards perfection. This is very well for privacy, and authentication
> of long lived storage, but do we really need a cryptographically strong 
> hashing algorithm for TCP packets? Wouldn't it be sufficent to have have a
> keyed hashing algorithm which e.g. 'just' needs 100000 CPU years to be 
> reversed? Or even just a few hundred CPU years? The strength of the
> algorithm should be appropriate to the lifetime of the data.
> I really would not care for the authentication session key to be retrieved
> by the NSA one week after the TCP connection has been closed. Or for
> somebody to be able to forge packets under a certain key if I already have
> changed to a new session key.
> 
> Perhaps finding a *fast* hashing algorithm with reasonable security would 
> be a good first step to make authentication overhead attractive to people
> too?
> 
> Comments on this issue would be greatly appreciated...
> 
> Germano
> 
> Germano Caronni

We agree that there is a use for a (potentially weaker) fast hash
algorithm, and have been working on its development.

A similar issue was raised earlier in this group, 
when we were evaluating the performance of MD5.
The results of stand-alone MD5 performance were
published at Sigcomm 95 in our paper "Performance Analysis of MD5".

Phil Rogaway's 1996 RSA Data Security Conference presentation 
describes some algorithms, and their speeds. One algorithm,
co-developed by Phil and our group, has performance of about 
3-5x faster when run "stand-alone."

However, our current work measuring in-situ performance of
these algorithms in IPv4, is that TCP/MD5 tops out at around 
37 Mbps on a Sun SPARC 20/71 (which can do TCP with null
authentication at 100 Mbps). This alternate hash (AH) runs
around 1.6x as fast, at 60 Mbps. For 1KB packets.

This algorithm appears to be a resonable upper-bound for
authentication, since it uses a very simple table-lookup
only (from http://wwwcsif.cs.ucdavis.edu/~fishkin/md5/ ) (see code
below).

void ah(unsigned long* string, unsigned long* hash, int stringlen){
  unsigned long  temp,A,B,C,D;
  int i, bytetmp=0,tmp;
 
  temp=A=B=C=D=0;
 for(i=0; i<(stringlen/4); i +=4){
    tmp=A^string[i];
    A ^= htable[BYTE0(tmp)];
    B ^= htable[BYTE1(tmp)];
    C ^= htable[BYTE2(tmp)];
    D ^= htable[BYTE3(tmp)];
    tmp=B^string[i+1];
    B ^= htable[BYTE0(tmp)];
    C ^= htable[BYTE1(tmp)];
    D ^= htable[BYTE2(tmp)];
    A ^= htable[BYTE3(tmp)];
    tmp=C^string[i+2];
    C ^= htable[BYTE0(tmp)];
    D ^= htable[BYTE1(tmp)];
    A ^= htable[BYTE2(tmp)];
    B ^= htable[BYTE3(tmp)];
    tmp= D^string[i+3];
    D ^= htable[BYTE0(tmp)];
    A ^= htable[BYTE1(tmp)];
    B ^= htable[BYTE2(tmp)];
    C ^= htable[BYTE3(tmp)];
  }
hash[0] = A;
hash[1] = B;
hash[2] = C;
hash[3] = D; 
 /*return  hash;*/
}

FYI.

Joe
----------------------------------------------------------------------
Joe Touch - touch@isi.edu		    http://www.isi.edu/~touch/
ISI / Project Leader, ATOMIC-2, LSAM       http://www.isi.edu/atomic2/
USC / Research Assistant Prof.                http://www.isi.edu/lsam/