[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard

To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
From: Bart Preneel <Bart.Preneel@esat.kuleuven.ac.be>
Date: Sat, 10 Jul 2004 00:38:51 +0200 (CEST)
Cc: ipsec@ietf.org, Donald.Eastlake@Motorola.com, iesg@ietf.org, IETF-Announce <ietf-announce@ietf.org>
In-reply-to: <Pine.GSO.4.44_heb2.09.0407072207480.21829-100000@ee.technion.ac.il>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-bounces@ietf.org

Hugo,

I am not so sure that we should strenghten the recommendation for HMAC-MD5.

1) Very few researchers work on hash functions of the MDx-type, and I am
aware of only 1 (not yet published) result on "deviation of randomness"
for these functions; hence the absence of results should not be
interpreted as an indication of security.

2) The little effort that has been spent has resulted in some progress
in the last 2 years:

Saarinen has shown at FSE 2003 that there are some problems when SHA-1
and MD5 would be used as block ciphers (keyed by the message input -
feedforward omitted); collisions have been found for 3 rounds of HAVAL
(Biryukov et al., Asiacrypt 2003); at Crypto 2004 Eli Biham and Rafi Chen
will present near-collisions of SHA-0 (they can also break now 36 rounds
of SHA-1).

None of these attacks forms a direct threat to HMAC-MD5, but these
results show that after 10 years our ability to attack this type of functions
keeps improving; nothing indicates that this progress will stop in
the next years.

3) Nobody has so far attempted to apply algebraic attacks to these
objects; these attacks have been rather successful against stream
ciphers, even if their applicability for block ciphers is currently
unclear.

Once problems are discovered, getting rid of an algorithm is difficult,
which is a reason to be conservative (some components in the banking world
are still in the process of being upgraded from DES to triple-DES).

Finally, it seems that if performance is really an issue, one should
start working on developing a concrete solution using universal
hash function-based constructions.

--Bart

On Thu, 8 Jul 2004, Hugo Krawczyk wrote:

> Draft draft-ietf-ipsec-esp-ah-algorithms-01.txt
> specifies HMAC-MD5 as MAY (in the list of authentication algorithms).
>
> Given that 8 years after the invention of HMAC and 8 years after
> Dobbertin's attacks on MD5 there is no single piece of evidence (big or
> small) against the use of HMAC-MD5, and given that HMAC-MD5 is close to
> twice the speed of HMAC-SHA1, then I suggest to upgrade HMAC-MD5 to SHOULD
> (it is good to make it available for applications that need the speed,
> especially in authentication-only configurations (are there any?)
>
> Just a suggestion. Feel free to ignore.
>
> Hugo
>
> On Wed, 23 Jun 2004, The IESG wrote:
>
> > The IESG has received a request from the IP Security Protocol WG to consider
> > the following document:
> >
> > - 'Cryptographic Algorithm Implementation Requirements For ESP And AH '
> >  <draft-ietf-ipsec-esp-ah-algorithms-01.txt> as a Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> > final comments on this action.Please send any comments to the
> > iesg@ietf.org or ietf@ietf.org mailing lists by 2004-07-07.
> >
> > The file can be obtained via
> > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-esp-ah-algorithms-01.txt
> >
> >
> > _______________________________________________
> > Ipsec mailing list
> > Ipsec@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ipsec
> >
>
>
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
>

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:
- Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: [Ipsec] certificate encoding type in IKEv2
Next by Date: Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
Previous by thread: Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
Next by thread: Re: [Ipsec] Last Call: 'Cryptographic Algorithm ImplementationRequirements For ESP And AH' to Proposed Standard
Index(es):
- Date
- Thread