[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SHA-256-128 Draft: Is this really required? Contradiction...



I was originally opposed to SHA-2, but I got them impression from previous
discussions at IETF meetings and on this list that SHA-2 was going to be
faster than SHA-1. If that is not the case then I agree that there is no
need for SHA-2. (Unless it is to match the security strength of large DH
groups in key derivation, which, as we've discussed on this list before, is
more a limitation of the key derivation algorithm than of the hash).

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Russell Dietz
> Sent: Wednesday, July 17, 2002 3:15 AM
> To: ipsec@lists.tislabs.com
> Subject: SHA-256-128 Draft: Is this really required? Contradiction...
>
>
> Hello Folks,
>
> In reviewing the latest SHA-256 draft, "The HMAC-SHA-256-128
> Algorithm and
> Its Use With IPsec", <draft-ietf-ipsec-ciph-sha-256-01.txt>,
> June 2002, I
> notice a contradiction and a point which I (and others)
> believe, eliminates
> the need for the document to progress, even as an experimental.
>
> In the draft, the authors state that...
>
> "HMAC-SHA-1-96 [HMAC-SHA] (Madson, C. and R. Glenn, "The Use of
> HMAC-SHA-1-96 within ESP and AH," RFC2404, November 1998.) provides
> sufficient security at a lower computational cost [then this
> SHA-2 draft]".
>
> ...the draft then states...
>
> "The goal of HMAC-SHA-256-128 is to ensure that the packet is
> authentic and
> cannot be modified in transit."
>
> ...this is the 'goal' of HMAC-SHA-1-96 as it stands today.
>
> In addition, while the new SHA-256 algorithm is definitely
> useful in other
> contexts, in fact there is no evidence that DRAFT-SHA-256 provides any
> meaningful additional cryptographic security over the HMAC-SHA-1-96
> algorithm defined in RFC2404 and already in widespread use for packet
> authentication in IPSec.  For all we know, quite the contrary
> may be true,
> as SHA-256 is a new transform and thus has seen considerably
> less public
> review so far than SHA1 has already received.  In any case,
> it is extremely
> unlikely that HMAC-SHA1 will be the weak point in any system
> using IPSec.
> Hence, it is not clear that trying to improve its security
> makes any sense,
> given the costs and instability associated with such a change.
>
> Given this and the fact that SHA-256 is has no known
> cryptographic benefit
> to implementing this proposed standard, there is no reason, even on an
> experimental basis, for the IPSec WG to progress this document.
>
> Regards,
>
> Russell Dietz
> Hifn, Inc.
> 750 University Ave
> Los Gatos, CA, USA 95032-7695
> Tel: +1 408 399-3623
> pgp-fingerprint: CEE3 58B0 DD09 4EA5 7266 BF1E B5F6 4D1A 4AD1 65B4
>