IETF Logo Mail Archive

[Cfrg] Re: [saag] TCP-AO MAC algorithms

mcgrew <mcgrew@cisco.com> Thu, 20 December 2007 15:50 UTC

Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J5Nfm-0001Ug-AL; Thu, 20 Dec 2007 10:50:58 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J5Nfk-0001RL-F2 for cfrg@ietf.org; Thu, 20 Dec 2007 10:50:56 -0500
Received: from rtp-iport-2.cisco.com ([64.102.122.149]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J5Nfj-0004B9-TE for cfrg@ietf.org; Thu, 20 Dec 2007 10:50:56 -0500
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-2.cisco.com with ESMTP; 20 Dec 2007 10:50:56 -0500
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id lBKFotGW004710; Thu, 20 Dec 2007 10:50:55 -0500
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id lBKFoagF014028; Thu, 20 Dec 2007 15:50:55 GMT
Received: from xmb-rtp-20c.amer.cisco.com ([64.102.31.57]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 20 Dec 2007 10:50:40 -0500
Received: from 10.32.254.210 ([10.32.254.210]) by xmb-rtp-20c.amer.cisco.com ([64.102.31.57]) with Microsoft Exchange Server HTTP-DAV ; Thu, 20 Dec 2007 15:50:29 +0000
User-Agent: Microsoft-Entourage/11.2.4.060510
Date: Thu, 20 Dec 2007 07:50:27 -0800
From: mcgrew <mcgrew@cisco.com>
To: Brian Weis <bew@cisco.com>
Message-ID: <C38FCF43.2F65%mcgrew@cisco.com>
Thread-Topic: [saag] TCP-AO MAC algorithms
Thread-Index: AchDIAo/SQgSTa8TEdyWUgAUUQnMFg==
In-Reply-To: <98FA6BE8-0825-41F6-8DAA-1A5706D974A9@cisco.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 20 Dec 2007 15:50:40.0029 (UTC) FILETIME=[120374D0:01C84320]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2437; t=1198165855; x=1199029855; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20mcgrew=20<mcgrew@cisco.com> |Subject:=20Re=3A=20[saag]=20TCP-AO=20MAC=20algorithms |Sender:=20 |To:=20Brian=20Weis=20<bew@cisco.com>; bh=db5yKbeVVV4lKEPvRBXFGIk+0ika4jSDScmCbRTSXKk=; b=JOyrLJNdEkzXE37ydTR2kd8nqKdU2Ea5lfLaI4LLx/i0U6gCatjo5Fa8ND +9LFs2CY6+tW2ybrfPmoPtUjKbcx9V3GEIV47PPh2z/8ErbDRad/l+oq2yCO xWaIpi9qoR;
Authentication-Results: rtp-dkim-2; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: saag@mit.edu, cfrg@ietf.org
Subject: [Cfrg] Re: [saag] TCP-AO MAC algorithms
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Hi Brian,

I've cross-posted to CFRG to tie the TCP Auth work in with
draft-irtf-cfrg-fast-mac-requirements draft.

On 12/18/07 4:23 PM, "Brian Weis" <bew@cisco.com> wrote:

> Greetings,
> 
> The TCPM WG seeks advice from SAAG on which MACs to include as
> required MACs for the TCP Authentication Option (draft-ietf-tcpm-tcp-
> auth-opt-00). Two MACs with differing internal constructions are
> desired.

I assume that the reason for having two mandatory-to-implement MACs is to
ensure algorithm agility.

> 
> In my opinion, it is also important that MACs defined by an Internet
> standard as required to be implemented be based on NIST-approved
> algorithms and modes, and also be generally available in both
> software and cryptographic hardware.
> 
> The following two MACs are reasonable recommendations that taken
> together easily meet the above criteria: HMAC-SHA-1 and AES-CMAC. I
> propose that these be the algorithms provided to the TCPM WG.
> 
> Brian

Sounds like reasonable choices to me.

It would be good to have a MAC that performs exceptionally well in software,
along the lines of what we've targeted in
draft-irtf-cfrg-fast-mac-requirements, but if the choice of MACs has to be
made *today*, there may not be a suitable candidate that has been
sufficiently specified and/or reviewed.  I expect that MACs that will be
more suitable for use in TCP Authentication will be developed (candidates
include [1] and [2]).  I trust that there is a path for the adoption of new
MACs in TCP Auth.  

Probably the biggest open question is the length of the MAC.  The CMAC
specification states that lengths 64 bits and higher are acceptable, but
that smaller values "shall only be used in conjunction
with a careful analysis of the risks" [1].  It would be good to do this
analysis for TCP Auth, of course, but it is encouraging that AES-128-CMAC
could be used with a 64-bit tag and still meet the conformance goals that
you outlined. 

Best regards, 

David


[1] J. Black and M. Cochran, "MAC Reforgeability",
http://eprint.iacr.org/2006/095

[2] D.J. Bernstein, "Polynomial evaluation and message authentication",
http://cr.yp.to/antiforgery/pema-20071022.pdf

[3] M. Dworkin, NIST Special Publication 800-38B, "Recommendation for Block
Cipher Modes of Operation: The CMAC Mode for Authentication"
http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email