[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt
>>>>> "Shoichi" == Shoichi Sakane <sakane@kame.net> writes:
>> Title : The HMAC-SHA-256-96 Algorithm and Its Use With IPsec
>> Author(s) : S. Frankel, S. Kelly Filename :
>> draft-ietf-ipsec-ciph-sha-256-00.txt Pages : 8 Date : 16-Nov-01
Shoichi> the section 5 in RFC2104 says,
> We recommend that the output length t be not less than half
> the length of the hash output (to match the birthday attack
> bound) and not less than 80 bits (a suitable lower bound on
> the number of bits that need to be predicted by an
> attacker).
Shoichi> is that ok to truncate into 96bit ?
Applying the text from 2104 says "no" and the length should instead be
128 or more.
Which makes me wonder: why was 96 chosen for the original 2 HMACs and
not 80? 80 would be the minimum value that satisfies the guideline
from RFC 2104. Should therefore the SHA-2 based HMAC use a length
greater than 128 bits?
paul
Follow-Ups:
References: