[Cfrg] Question about the order of hashing

Yoav Nir <ynir@checkpoint.com> Thu, 05 January 2012 07:29 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C85F521F86BE for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 23:29:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.881
X-Spam-Status: No, score=-9.881 tagged_above=-999 required=5 tests=[AWL=-0.633, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_HI=-8, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id W0yVjCqPPioL for <cfrg@ietfa.amsl.com>; Wed, 4 Jan 2012 23:29:33 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com []) by ietfa.amsl.com (Postfix) with ESMTP id CDF0621F8522 for <cfrg@irtf.org>; Wed, 4 Jan 2012 23:29:32 -0800 (PST)
X-CheckPoint: {4F054F19-0-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com []) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q057TUvj008069 for <cfrg@irtf.org>; Thu, 5 Jan 2012 09:29:30 +0200
Received: from il-ex01.ad.checkpoint.com ([]) by il-ex01.ad.checkpoint.com ([]) with mapi; Thu, 5 Jan 2012 09:29:30 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Date: Thu, 5 Jan 2012 09:29:35 +0200
Thread-Topic: Question about the order of hashing
Thread-Index: AczLe8NYNGQU3c3hQTGsUoEUIw5y7w==
Message-ID: <5E6BDD30-3EB8-4FBA-826E-4A44DED36283@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [Cfrg] Question about the order of hashing
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 07:29:33 -0000


When using keyed hash functions such as HMAC, GHash, and CBC-MAC, does the order of the items being concatenated and hashed make any difference to the security properties of the keyed hash?

IOW, does changing HMAC(k, a||b) into HMAC(k, b||a) change the security properties.

My motivation for this question is that I would like to propose a variant for IPsec where the sequence numbers are hashed after the payload rather than before it. Different size packets take different times to hash, so if we try to parallelize IPsec processing, arbitrarily many packets may finish processing before a large single packet has finished processing. 

IPsec emitters are required to emit the packets in order of the sequence numbers, but since the sequence numbers (which are sent in the clear) are hashed first, they have to be allocated before hashing begins. By moving them to the end of the hash, I can allocate the sequence number after having hashed most of the packet, and have nearly constant-time processing after allocating the sequence number.

So is this scheme I'm proposing save, or would it introduce some major vulnerability.