Re: replay field size

Niels Ferguson <niels@digicash.com> Wed, 12 February 1997 13:28 UTC

Received: from cnri by ietf.org id aa24419; 12 Feb 97 8:28 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa06340; 12 Feb 97 8:28 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id IAA25623 for ipsec-outgoing; Wed, 12 Feb 1997 08:15:32 -0500 (EST)
Message-Id: <199702121320.OAA09687@digicash.com>
From: Niels Ferguson <niels@digicash.com>
To: ipsec@tis.com
MMDF-Warning: Parse error in original version of preceding line at CNRI.Reston.VA.US
Subject: Re: replay field size
Date: Wed, 12 Feb 1997 14:21:00 +0100
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1155
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

> From: Michael J. Oehler <mjo@tycho.ncsc.mil>
> 3. Truncate the SHA-1 to 128 bits
>         The format for MD5 and SHA will then be identical.
I'm a bit concerned with all the people that are happy to truncate hash
values to shorter sizes. This should only be done if there is a thorough
understanding of the threats and desired security level. In particular, SHA
has a 160 bit output _because_ a 128-bit output was deemed too short. If
you truncate SHA to 128 bits, the work effort to create a collision goes
down from 2^80 to 2^64.

Depending on the design lifetime of this stuff, 2^64 probably isn't enough,
and one could question the wisdom of limiting the future security to 2^80
operations. Is there really such a shortage of bits that we have to reduce
bitcounts everywhere? 

In general, 128-bit hash values are safe enough at the moment, but will
probably be insecure in the forseeable future. MAC codes, which are
computed with a shared secret key, can generally be truncated to half the
length of the hash; but this all depends on a detailed analysis of the
protocols.

One other note: complexity is one of the major enemies of security. Most
security systems fail because of bugs, and the number of bugs grows with
some high order of the complexity. So let us try to avoid complexity
wherever possible. In particular, negotiated field length add complexity to
save a few bits. Is this worth it?

Niels

--------------------------------------------------------------------------
Niels Ferguson, email: niels@DigiCash.com. (usual disclaimer applies)
  ...Of shoes, and ships, and sealing-wax, of cabbages, and kings,
  And why the sea is boiling hot, and whether pigs have wings... [Carroll]