Re: [saag] No need for SHA-2 Packet Authentication - Open Letter to the WG and Area Directors

[Uri Blumenthal <uri@lucent.com>]

Russell Dietz wrote:
> Unfortunately, the current draft is misleading in this regard:
> "Using the SHA-256 block cipher, with its increased block size (512 bits)
> and increased hash length (256 bits), provides the new algorithm with the
> ability to withstand continuing advances in crypto-analytic techniques and
> computational capability............."
> It is our belief that, as currently defined in DRAFT-SHA-256, the use of
> SHA-256 does not achieve any of these stated goals.
> 
> First of all, the block size of SHA-256 (512 bits) is identical to that of
> SHA-1, so the first assertion in the quote above is simply false, although
> frankly it would have no relevance if true.  Second, there is no known
> reason why DRAFT-SHA-256 would in fact allow less frequent rekeying, using
> either 32-bit or 64-bit sequence numbers.

Actually it's even worse than that.

Yes, SHA-256 outputs twice as many bits as SHA-1. Sure, but who
says those bits are RANDOM? Uncorrelated? 

The SHA family of functions is a Hash family, not PRF. Thus,
longer output for re-keying purposes means exactly nothing.
[It does make a difference for hash/MAC of course, but not
rekeying.]

[If I may toot my own horn here - please look at the PRF-from-MAC
construct, that comes with formal security proofs, submitted by
yours truly :-).  It talks about hard random bits suitable for
keying material.]


Thanks!
--
Regards,
Uri
-=-=-=<>=-=-
<Disclaimer>