RE: SHA-256-128 Draft: Is this really required? Contradiction...
"Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com> Thu, 18 July 2002 06:06 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g6I66Pw14907; Wed, 17 Jul 2002 23:06:25 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id BAA24046 Thu, 18 Jul 2002 01:27:52 -0400 (EDT)
Date: Thu, 18 Jul 2002 01:27:29 -0400
Message-ID: <002001c22e1b$d0877c50$3568e640@ca.alcatel.com>
From: Andrew Krywaniuk <andrew.krywaniuk@alcatel.com>
Reply-To: andrew.krywaniuk@alcatel.com
To: 'Russell Dietz' <rdietz@hifn.com>, 'list' <ipsec@lists.tislabs.com>
Subject: RE: SHA-256-128 Draft: Is this really required? Contradiction...
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
In-reply-to: <D7D145EB4903D311985E00A0C9FC76FE02873412@SJCXCH01.hifn.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
I was originally opposed to SHA-2, but I got them impression from previous discussions at IETF meetings and on this list that SHA-2 was going to be faster than SHA-1. If that is not the case then I agree that there is no need for SHA-2. (Unless it is to match the security strength of large DH groups in key derivation, which, as we've discussed on this list before, is more a limitation of the key derivation algorithm than of the hash). Andrew ------------------------------------------- There are no rules, only regulations. Luckily, history has shown that with time, hard work, and lots of love, anyone can be a technocrat. > -----Original Message----- > From: owner-ipsec@lists.tislabs.com > [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Russell Dietz > Sent: Wednesday, July 17, 2002 3:15 AM > To: ipsec@lists.tislabs.com > Subject: SHA-256-128 Draft: Is this really required? Contradiction... > > > Hello Folks, > > In reviewing the latest SHA-256 draft, "The HMAC-SHA-256-128 > Algorithm and > Its Use With IPsec", <draft-ietf-ipsec-ciph-sha-256-01.txt>, > June 2002, I > notice a contradiction and a point which I (and others) > believe, eliminates > the need for the document to progress, even as an experimental. > > In the draft, the authors state that... > > "HMAC-SHA-1-96 [HMAC-SHA] (Madson, C. and R. Glenn, "The Use of > HMAC-SHA-1-96 within ESP and AH," RFC2404, November 1998.) provides > sufficient security at a lower computational cost [then this > SHA-2 draft]". > > ...the draft then states... > > "The goal of HMAC-SHA-256-128 is to ensure that the packet is > authentic and > cannot be modified in transit." > > ...this is the 'goal' of HMAC-SHA-1-96 as it stands today. > > In addition, while the new SHA-256 algorithm is definitely > useful in other > contexts, in fact there is no evidence that DRAFT-SHA-256 provides any > meaningful additional cryptographic security over the HMAC-SHA-1-96 > algorithm defined in RFC2404 and already in widespread use for packet > authentication in IPSec. For all we know, quite the contrary > may be true, > as SHA-256 is a new transform and thus has seen considerably > less public > review so far than SHA1 has already received. In any case, > it is extremely > unlikely that HMAC-SHA1 will be the weak point in any system > using IPSec. > Hence, it is not clear that trying to improve its security > makes any sense, > given the costs and instability associated with such a change. > > Given this and the fact that SHA-256 is has no known > cryptographic benefit > to implementing this proposed standard, there is no reason, even on an > experimental basis, for the IPSec WG to progress this document. > > Regards, > > Russell Dietz > Hifn, Inc. > 750 University Ave > Los Gatos, CA, USA 95032-7695 > Tel: +1 408 399-3623 > pgp-fingerprint: CEE3 58B0 DD09 4EA5 7266 BF1E B5F6 4D1A 4AD1 65B4 >
- SHA-256-128 Draft: Is this really required? Contr… Russell Dietz
- RE: SHA-256-128 Draft: Is this really required? C… Andrew Krywaniuk
- Re: SHA-256-128 Draft: Is this really required? C… Uri Blumenthal
- Re: SHA-256-128 Draft: Is this really required? C… Housley, Russ