32 bit counter -- 96 bit HMAC-SHA/MD5

[HUGO@watson.ibm.com]

I haven't followed in detail all the votes but it seems
that there is signifcant support for truncated HMAC-SHA
and 32 bit counter.

Even if we allow for variable/negotiable/per-algorithm
counter size it seems that 32 bit will be prevalent for
the near future. Therefore, for the sake of easy alignment
I recommend considering going to 96-bit truncated HMAC-SHA1 and
96-bit truncated HMAC-MD5
(this is what we'd call HMAC-SHA1-96 and HMAC-MD5-96
following the terminology in RFC2104)

I personally would NOT pay with security to save 32-bit
padding. However, as already explained in the past, all the current
evidence that we have seems to suggest that some truncation
in the MAC is good. I would never go below 80 bit truncation.
However, 96 bits sounds as a perfectly wise choice.

We do NOT have PROOFS as for the effect of truncation.
We DO have some evidence to support it.
Moreover, if truncation is discovered in the future to
be bad for the combination of HMAC with some specific hash function
then that hash function will have to be dropped for its use even
without truncation. Our analysis suggests that it will be just too weak
to use with HMAC.

Bottom line: today's cryptography justifies going to 96 bits
(both MD5 and SHA1) and it helps alignment (with a typical 32-bit counter)

Hugo

PS: sorry for adding an option not covered in the straw poll...

---

Follow-Ups:

• Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
• From: Derek Atkins <warlord@MIT.EDU>

---

• Prev by Date: Re: replay field size
• Next by Date: Re: test vectors for HMAC-SHA-1 - Test Data and Bad News
• Prev by thread: Re: Quick Mode and KE payloads
• Next by thread: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
• Index(es):
  • Main
  • Thread