Re: [Cfrg] Question about the order of hashing

Steven Bellovin <> Thu, 05 January 2012 09:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9347F21F86DF for <>; Thu, 5 Jan 2012 01:10:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.257
X-Spam-Status: No, score=-3.257 tagged_above=-999 required=5 tests=[AWL=-2.009, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, SARE_OBFU_ALL=0.751]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CmWLs+t07Afz for <>; Thu, 5 Jan 2012 01:10:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 938CD21F86B2 for <>; Thu, 5 Jan 2012 01:10:22 -0800 (PST)
Received: from [] ( []) (user=smb2132 mech=PLAIN bits=0) by (8.14.4/8.14.3) with ESMTP id q059AAvq021411 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 5 Jan 2012 04:10:11 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=us-ascii
From: Steven Bellovin <>
In-Reply-To: <>
Date: Thu, 5 Jan 2012 04:10:10 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Yoav Nir <>
X-Mailer: Apple Mail (2.1251.1)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on
Cc: "" <>
Subject: Re: [Cfrg] Question about the order of hashing
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jan 2012 09:10:24 -0000

On Jan 5, 2012, at 2:29 35AM, Yoav Nir wrote:

> Hi.
> When using keyed hash functions such as HMAC, GHash, and CBC-MAC, does the order of the items being concatenated and hashed make any difference to the security properties of the keyed hash?
> IOW, does changing HMAC(k, a||b) into HMAC(k, b||a) change the security properties.
> My motivation for this question is that I would like to propose a variant for IPsec where the sequence numbers are hashed after the payload rather than before it. Different size packets take different times to hash, so if we try to parallelize IPsec processing, arbitrarily many packets may finish processing before a large single packet has finished processing. 
> IPsec emitters are required to emit the packets in order of the sequence numbers, but since the sequence numbers (which are sent in the clear) are hashed first, they have to be allocated before hashing begins. By moving them to the end of the hash, I can allocate the sequence number after having hashed most of the packet, and have nearly constant-time processing after allocating the sequence number.
> So is this scheme I'm proposing save, or would it introduce some major vulnerability.
What is your traffic model?  If it's a single TCP stream, I think you'll introduce
performance problems at that layer if you're sending packets out of TCP order.

		--Steve Bellovin,