[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec mandatory authentication algorithms

To: Robert Moskowitz <rgm3@chrysler.com>
Subject: Re: IPsec mandatory authentication algorithms
From: Bart Preneel <Bart.Preneel@esat.kuleuven.ac.be>
Date: Tue, 7 Oct 1997 18:35:15 +0200 (METDST)
cc: "C. Harald Koch" <chk@utcc.utoronto.ca>, ipsec@tis.com, Karen Seo <kseo@bbn.com>
In-Reply-To: <3.0.3.32.19971007121622.00c3f960@dilbert.is.chrysler.com>
Organization: ESAT, K.U.Leuven, Belgium
Sender: owner-ipsec@ex.tis.com

I consider myself to be a member of the cryptographic community,
and I seriously question the statement that HMAC-MD5 and HMAC-SHA1
are equally secure.

Using HMAC-MD5 is a best a well calculated risk (something like 
using RSA-512).  Remember that only a limited effort has been spent on the 
cryptanalysis of MD5 (where would we be without Hans Dobbertin?).  
While it is correct that HMAC requires properties from MD5 that are weaker
than collision resistance, that does not imply that it is safe
to assume that MD5 has these properties.

I would hesitate to use HMAC-MD5 unless I could switch overnight
to HMAC-SHA1. 

Bart Preneel
-------------------------------------------------------------------------------
Katholieke Universiteit Leuven                       tel. +32 16 32 11 48
Dept. Electrical Engineering-ESAT / COSIC            fax. +32 16 32 19 86
K. Mercierlaan 94, B-3001 Heverlee, BELGIUM

                           bart.preneel@esat.kuleuven.ac.be
                        http://www.esat.kuleuven.ac.be/~preneel
-------------------------------------------------------------------------------

On Tue, 7 Oct 1997, Robert Moskowitz wrote:

> At 10:38 AM 10/7/97 -0400, C. Harald Koch wrote:
> >
> >The cryptographic community appears to have declared MD5 anywhere from
> >suspect to compromised, depending on their level of paranoia.
> 
> Well, actually, I have old messages from Hugo stating that HMAC addresses
> these concerns.  And the workgroup came to the conclusion that HMAC-MD5 and
> HMAC-SHA1 were equally secure.  Then once we truncated both to 96 bits,
> well is there a difference anymore, other than MD5 is consistantly reported
> as faster than SHA1...
> 
> >Therefore, I'd recommend making HMAC with SHA-1 *mandatory*, and possibly
> >even specify that it should be preferred when negotiating.
> 
> Thus many of us feel that MD5 is the mandatory, as the SHA1 does not seem
> to bring technical value.
> 
> >Whether or not HMAC with MD5 is also mandatory is less important to me... :-)
> >
> And I feel the same about SHA1...
> 
> 
> Robert Moskowitz
> Chrysler Corporation
> (810) 758-8212
>

Follow-Ups:

Re: IPsec mandatory authentication algorithms

From: Robert Moskowitz <rgm3@chrysler.com>

References:

Re: IPsec mandatory authentication algorithms

From: Robert Moskowitz <rgm3@chrysler.com>

Prev by Date: Re: IPsec Architecture -- proposed changes
Next by Date: Re: IPsec mandatory authentication algorithms
Prev by thread: Re: IPsec mandatory authentication algorithms
Next by thread: Re: IPsec mandatory authentication algorithms
Index(es):
- Main
- Thread