SHA-256-128 Draft: Is this really required? Contradiction...

[Russell Dietz <rdietz@hifn.com>]

Hello Folks,

In reviewing the latest SHA-256 draft, "The HMAC-SHA-256-128 Algorithm and
Its Use With IPsec", <draft-ietf-ipsec-ciph-sha-256-01.txt>, June 2002, I
notice a contradiction and a point which I (and others) believe, eliminates
the need for the document to progress, even as an experimental.

In the draft, the authors state that...

"HMAC-SHA-1-96 [HMAC-SHA] (Madson, C. and R. Glenn, "The Use of
HMAC-SHA-1-96 within ESP and AH," RFC2404, November 1998.) provides
sufficient security at a lower computational cost [then this SHA-2 draft]".

...the draft then states...

"The goal of HMAC-SHA-256-128 is to ensure that the packet is authentic and
cannot be modified in transit."

...this is the 'goal' of HMAC-SHA-1-96 as it stands today.

In addition, while the new SHA-256 algorithm is definitely useful in other
contexts, in fact there is no evidence that DRAFT-SHA-256 provides any
meaningful additional cryptographic security over the HMAC-SHA-1-96
algorithm defined in RFC2404 and already in widespread use for packet
authentication in IPSec.  For all we know, quite the contrary may be true,
as SHA-256 is a new transform and thus has seen considerably less public
review so far than SHA1 has already received.  In any case, it is extremely
unlikely that HMAC-SHA1 will be the weak point in any system using IPSec.
Hence, it is not clear that trying to improve its security makes any sense,
given the costs and instability associated with such a change.

Given this and the fact that SHA-256 is has no known cryptographic benefit
to implementing this proposed standard, there is no reason, even on an
experimental basis, for the IPSec WG to progress this document.

Regards,

Russell Dietz
Hifn, Inc.
750 University Ave
Los Gatos, CA, USA 95032-7695
Tel: +1 408 399-3623
pgp-fingerprint: CEE3 58B0 DD09 4EA5 7266 BF1E B5F6 4D1A 4AD1 65B4