Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms
"Steven M. Bellovin" <smb@cs.columbia.edu> Fri, 04 January 2008 03:05 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAcrw-0000Xi-Sh; Thu, 03 Jan 2008 22:05:12 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAcrv-0000Xb-Ir for cfrg@ietf.org; Thu, 03 Jan 2008 22:05:11 -0500
Received: from machshav.com ([198.180.150.44]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JAcrv-0005h9-6A for cfrg@ietf.org; Thu, 03 Jan 2008 22:05:11 -0500
Received: by machshav.com (Postfix, from userid 512) id B609C183; Fri, 4 Jan 2008 03:05:10 +0000 (GMT)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 4E493160; Fri, 4 Jan 2008 03:05:09 +0000 (GMT)
Received: from cs.columbia.edu (localhost [127.0.0.1]) by berkshire.machshav.com (Postfix) with ESMTP id 27C4276618B; Thu, 3 Jan 2008 22:05:08 -0500 (EST)
Date: Fri, 04 Jan 2008 03:05:07 +0000
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Sean Shuo Shen <sshen@huawei.com>
Subject: Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms
Message-ID: <20080104030507.7297e280@cs.columbia.edu>
In-Reply-To: <002301c84e75$a9354580$350c6f0a@china.huawei.com>
References: <p06240515c3a15fd25b8f@[192.168.0.101]> <002301c84e75$a9354580$350c6f0a@china.huawei.com>
Organization: Columbia University
X-Mailer: Claws Mail 3.2.0 (GTK+ 2.12.0; i386--netbsdelf)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: saag@mit.edu, cfrg@ietf.org, 'Stephen Kent' <kent@bbn.com>
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
On Fri, 04 Jan 2008 10:01:03 +0800 Sean Shuo Shen <sshen@huawei.com> wrote: > Hi Stephen, > Can you talk more details about the FIPS evaluation problem? > The issue is what the assurance boundary is. If the TCP sequence number is cryptographically significant, the entire process by which it's set (including original generation and anything else in the stack or kernel that could touch it) has to be part of the evaluation, too. It is, I think, less of an issue for TCP-AO, since I suspect that that's not very likely to be done by a dedicated hardware module. Still, as a matter of design principle one should keep security-critical matters separate. > > -----Original Message----- > From: saag-bounces@mit.edu [mailto:saag-bounces@mit.edu] On Behalf Of > Stephen Kent > Sent: Wednesday, January 02, 2008 11:37 PM > To: mcgrew > Cc: saag@mit.edu; Sean Shuo Shen; cfrg@ietf.org > Subject: Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms > > Anoher issue to keep in mind is that a nonce-less MAC avoids the FIPS > evaluation problems that would arise from attempts to make use of the > TCP sequence number as an input to the nonce generation process. > > Steve > _______________________________________________ > saag mailing list > saag@mit.edu > http://mailman.mit.edu/mailman/listinfo/saag > > > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg > --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Re: [saag] TCP-AO MAC algorithms mcgrew
- RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [Cfrg] Re: [saag] TCP-AO MAC algorithms mcgrew
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Stephen Kent
- RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Steven M. Bellovin
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Steven M. Bellovin
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Stephen Kent
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen