[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt

To: ipsec@lists.tislabs.com
Subject: Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt
From: Paul Koning <pkoning@equallogic.com>
Date: Wed, 12 Dec 2001 15:32:31 -0500 (EST)
References: <200111191329.IAA26802@ietf.org><20011213033745S.sakane@kame.net>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Shoichi" == Shoichi Sakane <sakane@kame.net> writes:

 >> Title : The HMAC-SHA-256-96 Algorithm and Its Use With IPsec
 >> Author(s) : S. Frankel, S. Kelly Filename :
 >> draft-ietf-ipsec-ciph-sha-256-00.txt Pages : 8 Date : 16-Nov-01

 Shoichi> the section 5 in RFC2104 says,

 > We recommend that the output length t be not less than half
 > the length of the hash output (to match the birthday attack
 > bound) and not less than 80 bits (a suitable lower bound on
 > the number of bits that need to be predicted by an
 > attacker).

 Shoichi> is that ok to truncate into 96bit ?

Applying the text from 2104 says "no" and the length should instead be
128 or more. 

Which makes me wonder: why was 96 chosen for the original 2 HMACs and
not 80?  80 would be the minimum value that satisfies the guideline
from RFC 2104.  Should therefore the SHA-2 based HMAC use a length
greater than 128 bits?

	paul

Follow-Ups:

Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt

From: Bart Preneel <Bart.Preneel@esat.kuleuven.ac.be>

References:

Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt

From: Shoichi Sakane <sakane@kame.net>

Prev by Date: Re: suggestion for JFK
Next by Date: Re: IKEv2 and NAT traversal
Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt
Next by thread: Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt
Index(es):
- Main
- Thread