[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: replay field size straw poll



> 
> The questions are:
> 	
> Should AH and ESP both have a fixed size replay counter ? (Yes/No/Don't Care)
> If they have a fixed size counter, what size should it be? (32 bits/64 bits)
> Should SHA-1 output be truncated to 128 bits from 160 bits ? (Yes/No/Don't Care)
> 

1) AH and ESP should have a fixed size replay counter (Yes).

Rationale: I don't see any incremental benefit in being able to negotiate
a replay counter size online, or in allowing different transform documents
to specify different sizes.  The KISS principle says make it fixed.

1a) AH and ESP should have the same fixed size.

Rationale: no benefit in different sizes.
64 bit alignment can be achieved by MBZ pad fields.

2) The fixed size should be 32 bits.

Rationale: is there any incremental benefit in replay protection beyond
4G packets?  (4K seconds, or over an hour, at 1M packets/second).  Is it
too big a burden to refresh keys every 4G packets, even if you believe
the crypto algorithm is strong enough to use for longer?

3) SHA should be truncated to 128 bits. (Yes)

Rationale: I'm not a cryptographer, but I am persuaded by Hugo's
arguments that truncating HMAC-SHA to 128 bits is beneficial to
security robustness.  At worst, I don't believe truncating SHA
could possibly result in a less secure HMAC than using MD5.


Follow-Ups: