RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms
Sean Shuo Shen <sshen@huawei.com> Fri, 04 January 2008 01:33 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAbRB-0004SS-TP; Thu, 03 Jan 2008 20:33:29 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAbRA-0004SN-Rq for cfrg@ietf.org; Thu, 03 Jan 2008 20:33:28 -0500
Received: from szxga04-in.huawei.com ([61.144.161.7]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JAbR8-00047w-L8 for cfrg@ietf.org; Thu, 03 Jan 2008 20:33:28 -0500
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0JU300MIKIYLVB@szxga04-in.huawei.com> for cfrg@ietf.org; Fri, 04 Jan 2008 09:32:45 +0800 (CST)
Received: from huawei.com ([172.24.1.24]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0JU3005OSIYK6J@szxga04-in.huawei.com> for cfrg@ietf.org; Fri, 04 Jan 2008 09:32:45 +0800 (CST)
Received: from s102542 ([10.111.12.53]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0JU300C1DIYGXS@szxml04-in.huawei.com> for cfrg@ietf.org; Fri, 04 Jan 2008 09:32:44 +0800 (CST)
Date: Fri, 04 Jan 2008 09:32:36 +0800
From: Sean Shuo Shen <sshen@huawei.com>
Subject: RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms
In-reply-to: <C3A0E889.3154%mcgrew@cisco.com>
To: 'mcgrew' <mcgrew@cisco.com>, 'Brian Weis' <bew@cisco.com>
Message-id: <001b01c84e71$b2420040$350c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: AchDIAo/SQgSTa8TEdyWUgAUUQnMFgF/NZAgAQ0OKyIAJaSU4A==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: saag@mit.edu, cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi David, >> 1. interface: >> I agree that MAC interface without a nonce may make implementation easier. >> But nonce may not expand the size of MAC because it can be generated by both >> sides of a TCP connection. For example, the nonce in UMAC can simply be a >> counter from 0 to a certain upper bound. >Agreed, it is true that in some cases the nonce need not be carried >explicitly along with the MAC value, but instead can be reconstructed by the >receiver using other information. It is also possible to use "Partially >Implicit Nonces", in the terms of Section 3.2.1 of draft-mcgrew-auth-enc, >which trades off nonce size against protocol robustness. Perhaps this is >worth investigating for TCP-AO, though I still think that nonceless MACs >should be favored because of their simplicity. >However, the implicit nonce idea does nothing to address the fact that >nonce-based algorithms are undesirable whenever it is difficult to ensure >nonce coordination, i.e. when key management is absent. If a nonce is used for MAC and requires a key, I think it's reasonable to let the nonce key updated together with the hash key, similar as some other security schemes in which encryption keys and integrity protection keys are generated/renewed synchronously. Though the key management solution for TCP AO is not proposed yet, adding nonce key generation/distribution together with hash key won't affect much on overall performance. >> Even if nonce requires randomness, >> a PRFed value of a counter or sequence number (I remember Joe Touch >> mentioned in Vancouver that key generation of TCP AO should not use any >> bytes of TCP packets, but I think nonce should be ok.) can provide >> randomness. Noticing the good performance of MACs like UMAC, maybe we should >> keep the door open to MACs with nonce. >I'm optimistic that worthwhile nonceless MACs can be made. For example, >UMAC can easily be turned into a nonceless MAC by changing its definition >from >MAC = AES(K, Nonce) (+) Hash(Message) >To >MAC = AES(K, Hash(Message)) >The latter form is actually closer to the initial version of UMAC. >MACs of this form don't meet requirement R6, though. Yes, I agree. Regards Sean _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Re: [saag] TCP-AO MAC algorithms mcgrew
- RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [Cfrg] Re: [saag] TCP-AO MAC algorithms mcgrew
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Stephen Kent
- RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Steven M. Bellovin
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Steven M. Bellovin
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Stephen Kent
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen