[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comment regarding Nonce size

To: "'Hugo Krawczyk'" <hugo@ee.technion.ac.il>
Subject: Re: Comment regarding Nonce size
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Fri, 14 Dec 2001 01:35:49 -0500
Cc: "'IPsec WG'" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <Pine.GSO.4.21.0112121422050.12254-100000@ee.technion.ac.il>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> PS: the above paragraph about the pre-hashing of long keys in
> HMAC also
> gives you a partial answer on your other question
> about what's the benefit of using nonces that are longer than the hash
> output size: while the extra length is not strictly needed, and can
> even be considered a "waste" if the nonce bits are TRULY random,
> the extra length may potentially help in the typical case
> that these bits
> are generated out of a weaker source of (pseudo) randomness.


It seems to me that this is only an advantage if you have a weak RNG but you
don't know it. If you think you have a weak RNG, wouldn't a better solution
be to generate a large nonce with sufficient entropy and then hash it down
to the size of the HMAC output? That would save bits on the wire, with no
apparent drawbacks.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

Follow-Ups:

Re: Comment regarding Nonce size

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

RE: Some comments to draft-ietf-ipsec-ikev2-00.txt

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: Comments regarding key stretching algorithm
Next by Date: RE: ikev2 questions arising from Radia's presentation
Prev by thread: RE: Some comments to draft-ietf-ipsec-ikev2-00.txt
Next by thread: Re: Comment regarding Nonce size
Index(es):
- Main
- Thread