Re: SHA-256/384/512

["Steven M. Bellovin" <smb@research.att.com>]

In message <3AA3F843.8135D875@cisco.com>, "David A. McGrew" writes:
>Steve,
>

>
>I agree that current message authentication methods are the bottleneck in this
>scenario.  However, I don't agree with the inference that counter mode is not
>worthwhile, as faster, paralellizable authentication methods exist and are
>easily adaptable to ESP.  Of course, it remains to agree which of those method
>s
>is worthwhile and produce a spec. 
>
>IIRC, the other objection to CM that you raised was that the lack of an explic
>it
>IV makes CM vulnerable if the same key is used within multiple SAs.  While thi
>s
>is clearly an important caveat for CM, proper key management would prevent thi
>s
>from happening.  There would need to be a series of failures for this to happe
>n
>with IKE, for example.  IMHO, the lower encapsulation overhead that is
>achievable with CM is one of the advantages of having real key management.


My two major objections to counter mode are, as you say, (a) it doesn't 
do any good without a suitable authentication scheme, and (b) the 
catastrophic failure mode if the same key and counter are reused.

I'm certainly open to arguments that other authentication schemes than 
HMAC are fast enough and secure enough, though I don't know that 
there's consensus on that point.  But I'm much more loathe to accept 
assurances on point (b).  Sure, we could mandate that counter mode only 
be used with IKE (or better).  I don't think folks will listen...  More 
seriously, accidents do happen, if only because of bad PRNG seeds.  I 
don't like to tempt fate.  My preference is for one of the integrated 
secrecy+authentication modes.

		--Steve Bellovin, http://www.research.att.com/~smb

---

• Prev by Date: Re: SHA-256/384/512
• Next by Date: Re: Internet Draft for explicit security labels in IPv6.
• Prev by thread: Re: SHA-256/384/512
• Next by thread: IPSec Provisioning Tools
• Index(es):
  • Main
  • Thread