[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt




Sorry for being unclear.
It means that you can use this system till 2021 without problems.

The length of a MAC key depends on the lifetime of the system (rather
than the lifetime of a single MAC key).
One can have a key search machine trying keys by exhaustive search;
if the MAC key is modified, the search is restarted.
The success probability then depends on the lifetime of the system
rather than on the lifetime of a single MAC key (which can be seconds).

For MAC output lengths, the concern is that somebody may insert packets
with random MACs. The question is: what is the damage that can
be done (or value that can be gained) by a single injected packet?
  - I am not going to answer this one, but I guess that there
    are few applications where this is very high.
If you worry that from 2020 onwards the expected value:
(number of attempts * value of successful attempt)/2**80
gets too large, you can indeed start adding MAC bits at that
time (there is no need to do this now).
- you just need to be sure that you can update the standards
and the implementations when necessary.

Bart Preneel

On Wed, 12 Dec 2001, Steven M. Bellovin wrote:

> In message <Pine.GHP.4.33.0112122244540.6259-100000@domein.esat.kuleuven.ac.be>
> , Bart Preneel writes:
>
> >
> >For choosing MAC parameters, one has to take into account the
> >lifetime during which the system will be used (rather than the
> >lifetime of a single key).  I believe that 80-bit MACs are
> >sufficient for 20 years or more. A MAC of 96 bits may be chosen
> >for the alignment reasons mentioned above.  A MAC of 128 bits is
> >fine but probably too conservative;  anything larger is certainly
> >overkill and may even harm security in the long run.
>
> What do you mean by "sufficient for 20 years or more"?  That that's how long
> you expect that it will be safe to use such MACs for new connections?
> Obviously, a MAC only has to resist attack while it's still accepted,
> unlike a confidentiality key.
>
>
> 		--Steve Bellovin, http://www.research.att.com/~smb
> 		Full text of "Firewalls" book now at http://www.wilyhacker.com
>
>



References: