[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHA-256-128 Draft: Is this really required? Contradiction...

To: Russell Dietz <rdietz@hifn.com>
Subject: Re: SHA-256-128 Draft: Is this really required? Contradiction...
From: "Housley, Russ" <rhousley@rsasecurity.com>
Date: Thu, 18 Jul 2002 00:46:46 -0400
Cc: ipsec@lists.tislabs.com, wpolk@nist.gov
In-Reply-To: <D7D145EB4903D311985E00A0C9FC76FE02873412@SJCXCH01.hifn.com>
Sender: owner-ipsec@lists.tislabs.com

Russell:

I was making similar observations to Tim Polk from NIST last night.  I had 
put him on the spot, but he could not come up with a reason to pursue this 
draft at the time.  He agreed to ask other people at NIST why this draft is 
needed.  Hopefully, someone from NIST will report the outcome of those 
discussions on this list.

Russ


At 12:14 AM 7/17/2002 -0700, Russell Dietz wrote:
>Hello Folks,
>
>In reviewing the latest SHA-256 draft, "The HMAC-SHA-256-128 Algorithm and
>Its Use With IPsec", <draft-ietf-ipsec-ciph-sha-256-01.txt>, June 2002, I
>notice a contradiction and a point which I (and others) believe, eliminates
>the need for the document to progress, even as an experimental.
>
>In the draft, the authors state that...
>
>"HMAC-SHA-1-96 [HMAC-SHA] (Madson, C. and R. Glenn, "The Use of
>HMAC-SHA-1-96 within ESP and AH," RFC2404, November 1998.) provides
>sufficient security at a lower computational cost [then this SHA-2 draft]".
>
>...the draft then states...
>
>"The goal of HMAC-SHA-256-128 is to ensure that the packet is authentic and
>cannot be modified in transit."
>
>...this is the 'goal' of HMAC-SHA-1-96 as it stands today.
>
>In addition, while the new SHA-256 algorithm is definitely useful in other
>contexts, in fact there is no evidence that DRAFT-SHA-256 provides any
>meaningful additional cryptographic security over the HMAC-SHA-1-96
>algorithm defined in RFC2404 and already in widespread use for packet
>authentication in IPSec.  For all we know, quite the contrary may be true,
>as SHA-256 is a new transform and thus has seen considerably less public
>review so far than SHA1 has already received.  In any case, it is extremely
>unlikely that HMAC-SHA1 will be the weak point in any system using IPSec.
>Hence, it is not clear that trying to improve its security makes any sense,
>given the costs and instability associated with such a change.
>
>Given this and the fact that SHA-256 is has no known cryptographic benefit
>to implementing this proposed standard, there is no reason, even on an
>experimental basis, for the IPSec WG to progress this document.
>
>Regards,
>
>Russell Dietz
>Hifn, Inc.
>750 University Ave
>Los Gatos, CA, USA 95032-7695
>Tel: +1 408 399-3623
>pgp-fingerprint: CEE3 58B0 DD09 4EA5 7266 BF1E B5F6 4D1A 4AD1 65B4

References:
- SHA-256-128 Draft: Is this really required? Contradiction...
  - From: Russell Dietz <rdietz@hifn.com>

Prev by Date: draft minutes from wg meeting
Next by Date: Re: [saag] RE: No need for SHA-2 Packet Authentication - Open Let ter to the WG a nd Area Directors
Prev by thread: Re: SHA-256-128 Draft: Is this really required? Contradiction...
Next by thread: One base SOI ID? Humm
Index(es):
- Date
- Thread