[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 32 bit counter -- 96 bit HMAC-SHA/MD5

To: HUGO@watson.ibm.com
Subject: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
From: Derek Atkins <warlord@MIT.EDU>
Date: 14 Feb 1997 15:35:11 -0500
Cc: IPSEC@tis.com
In-Reply-To: HUGO@watson.ibm.com's message of Fri, 14 Feb 97 14:45:23 EST
References: <199702142006.PAA35800@mailhub1.watson.ibm.com>
Sender: owner-ipsec@ex.tis.com

I'd be afraid that truncating to 96 bits would make brute-force
attacks too easy.  We've already seen 48 bit RC5 keys falling in very
short amounts of time (hours) using brute-force methods.  Today.
These MACs need to be secure for YEARS!  I don't think that a 96-bit
MAC is long-enough to survive brute-force attacks for very long.

I'd be much happier with the extra 32-bits, keeping the MAC at 128.

-derek

HUGO@watson.ibm.com writes:

> 
> I haven't followed in detail all the votes but it seems
> that there is signifcant support for truncated HMAC-SHA
> and 32 bit counter.
> 
> Even if we allow for variable/negotiable/per-algorithm
> counter size it seems that 32 bit will be prevalent for
> the near future. Therefore, for the sake of easy alignment
> I recommend considering going to 96-bit truncated HMAC-SHA1 and
> 96-bit truncated HMAC-MD5
> (this is what we'd call HMAC-SHA1-96 and HMAC-MD5-96
> following the terminology in RFC2104)
> 
> I personally would NOT pay with security to save 32-bit
> padding. However, as already explained in the past, all the current
> evidence that we have seems to suggest that some truncation
> in the MAC is good. I would never go below 80 bit truncation.
> However, 96 bits sounds as a perfectly wise choice.
> 
> We do NOT have PROOFS as for the effect of truncation.
> We DO have some evidence to support it.
> Moreover, if truncation is discovered in the future to
> be bad for the combination of HMAC with some specific hash function
> then that hash function will have to be dropped for its use even
> without truncation. Our analysis suggests that it will be just too weak
> to use with HMAC.
> 
> Bottom line: today's cryptography justifies going to 96 bits
> (both MD5 and SHA1) and it helps alignment (with a typical 32-bit counter)
> 
> Hugo
> 
> PS: sorry for adding an option not covered in the straw poll...

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: 32 bit counter -- 96 bit HMAC-SHA/MD5

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

References:

32 bit counter -- 96 bit HMAC-SHA/MD5

From: HUGO@watson.ibm.com

Prev by Date: Re: Quick Mode and KE payloads
Next by Date: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
Prev by thread: 32 bit counter -- 96 bit HMAC-SHA/MD5
Next by thread: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
Index(es):
- Main
- Thread