[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-krovetz-umac-01.txt

To: ipsec list <ipsec@lists.tislabs.com>, TLS list <ietf-tls@lists.certicom.com>, saag@lists.tislabs.com
Subject: Re: I-D ACTION:draft-krovetz-umac-01.txt
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 26 Oct 2000 17:53:34 +0200 (IST)
In-Reply-To: <200010251016.GAA23219@ietf.org>
Sender: owner-ipsec@lists.tislabs.com

As recently announced, the draft draft-krovetz-umac-01.txt is available 
from the Internet-Drafts directory.
This document contains a full specification of the "UMAC" 
Message Authentication Code (i.e a function that provides data 
integrity verification for entities that share a key).
This is the result of a three-year project involving several researchers.  
A paper describing the mathematical foundations of the algorithm 
was published more than a year ago in CRYPTO '99 [1].

UMAC was designed to provide strong authenticity guarantees while 
being flexible, provably secure, and **as fast as possible** on modern 
(and emerging) processors.  Experiments show that UMAC achieves 
software speeds that are many times the speed of HMAC-SHA1.  
A quite unique feature of UMAC is that it lets you easily trade performance
and security: from weak authentication against Denial of Service at 
GigaByte/second to the strongest authentication for the real paranoids 
at 100's of MegaBytes/second.

For the most speed-demanding applications, as they emerge, I believe 
that UMAC provides a solution that is superior to current algorithms 
based on cryptographic hash functions (e.g. HMAC) or block ciphers 
(e.g. CBC-MAC).

See the the UMAC homepage,  http://www.cs.ucdavis.edu/~rogaway/umac,  
for additional information, including some performance details. 

Hugo

PS: A word about UMAC's security. 
    UMAC's security analysis is based on two factors:
      1) The 20-year old methodology (due to Carter and Wegman) for 
         building MAC functions on the basis of universal hashing.
      2) The availability of a strong cipher (e.g. AES).
    The result of this analysis is that the only way that the proven 
    security bounds for UMAC could fail is by breaking the underlying
    cipher (say Rijndael).  As long as this cipher is unbroken so is UMAC.  
    In this sense, UMAC does not need to be subject to cryptanalytical
    scrutiny before it can be used; you just need to believe that the
    underlying block cipher is secure.
    (See more information in [1] and in the draft's Security Considerations)

[1]  J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway. 
"UMAC: Fast and secure message authentication".   Advances in 
Cryptology - CRYPTO '99.  Lecture Notes in Computer Science, 
vol. 1666, Springer-Verlag, 1999, pp. 216-233.

References:

I-D ACTION:draft-krovetz-umac-01.txt

From: Internet-Drafts@ietf.org

Prev by Date: [Q] IPSEC Newbie Question on ISAKMP/Oakley Resolution document
Next by Date: Re: Identity Type
Prev by thread: I-D ACTION:draft-krovetz-umac-01.txt
Next by thread: [Q] IPSEC Newbie Question on ISAKMP/Oakley Resolution document
Index(es):
- Main
- Thread