[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "Default" cipher and authenticator
> I didn't think we made SHA-1 part of the minimum default. I thought it was
> just HMAC MD5. I agree with the DES CBC Explicit IV.
The last ESP & AH doc drafts I've seen (dated May 30) have the
following text that confirm's Dan's original note quite clearly for
SHA-1. But, the ESP draft seems to be implying that implicit IV with
DES CBC is the way to go but elsewhere in the text there are references
to explicit IVs so I think ESP was leaving it to the cipher algorithm
to specify. ESP just described how you can have it either way. I didn't
see any clarifications of this in the roadmap document either. I had
also, like Dan, been assuming explicit IV is what will be mandated, now
I'm not so sure... This needs to be stated more clearly in the next
document revision, when it references an actual DES CBC implicit(?) IV draft.
(ESP)
conjunction with SAs that are manually keyed. A compliant ESP
implementation MUST support the following mandatory-to-implement
algorithms (specified in [KBC97] and in [need a new I-D with DES-CBC
and implicit IV generation, but no overlap with this document].
- DES in CBC mode
- HMAC with MD5
- HMAC with SHA-1
(AH)
conjunction with SAs that are manually keyed. A compliant AH
implementation MUST support the following mandatory-to-implement
algorithms (specified in [KBC97]):
- HMAC with MD5
- HMAC with SHA-1
> >From: Dan.McDonald@eng.sun.com (Dan McDonald)
> >Subject: "Default" cipher and authenticator
> >To: ipsec@tis.com
> >Date: Mon, 21 Jul 1997 14:23:30 -0700 (PDT)
> >Sender: owner-ipsec@ex.tis.com
> >
> >Hello!
> >
> >What are the minimum default cipher algorithms and authenticator
algorithms
> >currently? From what I can tell:
> >
> >AUTHENTICATORS CIPHERS
> >============== =======
> >HMAC-MD5-96 DES-CBC (explicit IV)
> >HMAC-SHA-1-96
-- Marc --