[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of changes to HMAC-MD5-96 draft

To: ipsec@tis.com, rob.glenn@nist.gov
Subject: Re: Summary of changes to HMAC-MD5-96 draft
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Sun, 15 Feb 1998 11:38:53 +0200 (IST)
Sender: owner-ipsec@ex.tis.com

Rob,

the addition below is not acceptable in the text:

>
>4. In response to the document reading party's comment:
>
>>There is a requirment that "any known attacks" be discussed in the
>>Security Considerations section. The MD5-96-01 doc does not discuss this.
>
>The following as added to paragraph 1 of section 5.
>
>At the time of this writing there are no known cryptographic attacks against
>HMAC-MD5-96.

Of course, THERE ARE such attacks (exhaustive key recovery attack,
MAC guessing attacks, on-line birthday attacks are all cryptographic 
attacks). Even if they are currently impractical they exist.
You should refer to the following text of rfc 2104 or even adapt a part 
of it to your needs here (I stress that this text does apply to the 96-bit
truncated output version used in ipsec).

   The strongest attack known against HMAC is based on the frequency of
   collisions for the hash function H ("birthday attack") [PV,BCK2],
   and is totally impractical for minimally reasonable hash functions.  
 
   As an example, if we consider a hash function like MD5 where the output 
   length equals L=16 bytes (128 bits) the attacker needs to acquire the 
   correct message authentication tags computed (with the _same_ secret key K!)
   on about 2**64 known plaintexts.  This would require the processing of at 
   least 2**64 blocks under H, an impossible task in any realistic scenario
   (for a block length of 64 bytes this would take 250,000 years in a continuous
   1Gbps link, and without changing the secret key K during all this time).
   This attack could become realistic only if serious flaws in the 
   collision behavior of the function H are discovered (e.g.  collisions 
   found after 2**30 messages). Such a discovery would determine the 
   immediate replacement of the function H (the effects of such failure 
   would be far more severe for the traditional uses of H in the context 
   of digital signatures, public key certificates, etc.).

Another part of rfc 2104 that you may want to bring explicitly is:

   Keys need to be chosen at random (or using a cryptographically strong
   pseudo-random generator seeded with a random seed), and periodically
   refreshed.  (Current attacks do not indicate a specific recommended
   frequency for key changes as these attacks are practically infeasible.
   However, periodic key refreshment is a fundamental security practice
   that helps against potential weaknesses of the function and keys, and
   limits the damage of an exposed key.)

Hugo

>
>Rob G.
>rob.glenn@nist.gov
>
>
>



--
John Kelley					johnk@tis.com
Director, Systems Administration
Trusted Information Systems, Inc.  (A NASDAQ company: "TISX")
http://www.tis.com

Prev by Date: Re: Summary of changes to HMAC-MD5-96 draft
Next by Date: Re: Help - Details on March 2nd worshop at Raliegh requested ...
Prev by thread: Re: Summary of changes to HMAC-MD5-96 draft
Next by thread: Changes to the ciph-des-explicit-iv draft
Index(es):
- Main
- Thread