[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
Steven Bellovin <smb@research.att.com> writes:
>
> I'd be afraid that truncating to 96 bits would make brute-force
> attacks too easy. We've already seen 48 bit RC5 keys falling in very
> short amounts of time (hours) using brute-force methods. Today.
> These MACs need to be secure for YEARS! I don't think that a 96-bit
> MAC is long-enough to survive brute-force attacks for very long.
>
> No, they have to be secure for hours at best. This is for per-packet
> authentication; when you rekey, old packets are useless to the adversary.
> And there are no secrecy implications here -- my attacks assumed that
> the key was still live.
Let me rephrase what I meant.. These *algorithms* need to be secure
for years (not the actual MAC values, of course those change
relatively quickly). The problem is that as computer speed increases
the amount of time required to brute-force these values will decrease.
Just look at how the time to break 40-bit keys has decreased over the
last year or two.
I'm just afraid that a 96-bit MAC might come down into this breakable
range before the algorithms get replaced. And if we limit them to 96
bits completely, eventually the brute-force mechanisms will catch up
with us.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
warlord@MIT.EDU PGP key available
References: