Re: replay field size
"Theodore Y. Ts'o" <tytso@MIT.EDU> Wed, 12 February 1997 18:32 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA28075 for ipsec-outgoing; Wed, 12 Feb 1997 13:32:33 -0500 (EST)
Date: Wed, 12 Feb 1997 13:36:39 -0500
Message-Id: <9702121836.AA10900@dcl.MIT.EDU>
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Niels Ferguson <niels@DigiCash.com>
Cc: "Theodore Y. Ts'o" <tytso@MIT.EDU>, ipsec@tis.com
In-Reply-To: Niels Ferguson's message of Wed, 12 Feb 1997 18:30:37 +0100, <199702121729.SAA18933@digicash.com>
Subject: Re: replay field size
Address: 1 Amherst St., Cambridge, MA 02139
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
From: "Niels Ferguson" <niels@digicash.com> Date: Wed, 12 Feb 1997 18:30:37 +0100 What are the requirements? I havn't been part of the IPsec discussion, and I don't have very much time to spend on it, but this seems to be fairly fundamental..... BTW, if the hash is used to ensure message integrity, and there is a separate MAC to ensure authenticity, then you could eliminate the hash. A MAC provides integrity verification as well, but it doesn't help you distinguish between a integrity violation and a key-mismatch. Unless precise error reporting is very important, you could leave the hash out. Furthermore, the MAC is more efficient, as it requires half as many bits to provide the same security level (assuming the key is secret of course). The fact that you haven't been following the IPsec discussion is pretty obvious now. (Although I apologize for the loose use of terminology which has obviously confused you.) Note that what we're talking about is HMAC SHA --- so we *are* talking about a MAC, not just a hash. See draft-ietf-ipsec-ah-hmac-sha-04.txt for more details. It is computed by as follows: HMAC-SHA(K, text) = SHA (K XOR opad, SHA (K XOR ipad, text)) where ipad is the byte 0x36 repeated 64 times, and opad is the byte 0x5C repeated 64 times. The question is whether or not we should truncate the value returned by the SHA in the above question to 128 bits or not. Hugo Krawczyk, a cryptographer from IBM, has made the claim that in this case, truncating the hash result is a *good* thing, because (a) since it is a MAC, birthday attacks aren't an issue (as you commented because it only requires half as many bits), and (b) it denies information to an attacker who is trying to perform an analytic attack on the MAC. - Ted
- RE: replay field size Roy Shamir
- RE: replay field size Michael J. Oehler
- Re: replay field size Niels Ferguson
- replay field size Derrell Piper
- Re: replay field size Matt Thomas
- RE: replay field size Roy Pereira
- RE: replay field size Ran Atkinson
- RE: replay field size Roy Pereira
- Re: replay field size Tim Bass (IETF)
- RE: replay field size Rob Adams
- Re: replay field size Dan McDonald
- RE: replay field size Ran Atkinson
- Re: replay field size Robert Glenn
- RE: replay field size Roy Pereira
- RE: replay field size Dan McDonald
- Re: replay field size Germano Caronni
- Re: replay field size John Keating
- Re: replay field size Derrell Piper
- Re: replay field size Ran Atkinson
- Re: replay field size wei
- RE: replay field size Stephen Kent
- Re: replay field size Matt Thomas
- RE: replay field size Phil Karn
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Perry E. Metzger
- Re: replay field size Niels Ferguson
- Re: replay field size Bill Sommerfeld
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Uri Blumenthal
- RE: replay field size Bob Monsour
- RE: replay field size Stephen Kent
- RE: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Ran Atkinson
- Re: replay field size Steven Bellovin
- Re: replay field size Ran Atkinson
- Re: replay field size Jim Thompson
- Re: replay field size Bart Preneel