Re: replay field size
Niels Ferguson <niels@digicash.com> Wed, 12 February 1997 13:28 UTC
Received: from cnri by ietf.org id aa24419; 12 Feb 97 8:28 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa06340; 12 Feb 97 8:28 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id IAA25623 for ipsec-outgoing; Wed, 12 Feb 1997 08:15:32 -0500 (EST)
Message-Id: <199702121320.OAA09687@digicash.com>
From: Niels Ferguson <niels@digicash.com>
To: ipsec@tis.com
MMDF-Warning: Parse error in original version of preceding line at CNRI.Reston.VA.US
Subject: Re: replay field size
Date: Wed, 12 Feb 1997 14:21:00 +0100
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1155
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> From: Michael J. Oehler <mjo@tycho.ncsc.mil> > 3. Truncate the SHA-1 to 128 bits > The format for MD5 and SHA will then be identical. I'm a bit concerned with all the people that are happy to truncate hash values to shorter sizes. This should only be done if there is a thorough understanding of the threats and desired security level. In particular, SHA has a 160 bit output _because_ a 128-bit output was deemed too short. If you truncate SHA to 128 bits, the work effort to create a collision goes down from 2^80 to 2^64. Depending on the design lifetime of this stuff, 2^64 probably isn't enough, and one could question the wisdom of limiting the future security to 2^80 operations. Is there really such a shortage of bits that we have to reduce bitcounts everywhere? In general, 128-bit hash values are safe enough at the moment, but will probably be insecure in the forseeable future. MAC codes, which are computed with a shared secret key, can generally be truncated to half the length of the hash; but this all depends on a detailed analysis of the protocols. One other note: complexity is one of the major enemies of security. Most security systems fail because of bugs, and the number of bugs grows with some high order of the complexity. So let us try to avoid complexity wherever possible. In particular, negotiated field length add complexity to save a few bits. Is this worth it? Niels -------------------------------------------------------------------------- Niels Ferguson, email: niels@DigiCash.com. (usual disclaimer applies) ...Of shoes, and ships, and sealing-wax, of cabbages, and kings, And why the sea is boiling hot, and whether pigs have wings... [Carroll]
- RE: replay field size Roy Shamir
- RE: replay field size Michael J. Oehler
- Re: replay field size Niels Ferguson
- replay field size Derrell Piper
- Re: replay field size Matt Thomas
- RE: replay field size Roy Pereira
- RE: replay field size Ran Atkinson
- RE: replay field size Roy Pereira
- Re: replay field size Tim Bass (IETF)
- RE: replay field size Rob Adams
- Re: replay field size Dan McDonald
- RE: replay field size Ran Atkinson
- Re: replay field size Robert Glenn
- RE: replay field size Roy Pereira
- RE: replay field size Dan McDonald
- Re: replay field size Germano Caronni
- Re: replay field size John Keating
- Re: replay field size Derrell Piper
- Re: replay field size Ran Atkinson
- Re: replay field size wei
- RE: replay field size Stephen Kent
- Re: replay field size Matt Thomas
- RE: replay field size Phil Karn
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Perry E. Metzger
- Re: replay field size Niels Ferguson
- Re: replay field size Bill Sommerfeld
- Re: replay field size Theodore Y. Ts'o
- Re: replay field size Uri Blumenthal
- RE: replay field size Bob Monsour
- RE: replay field size Stephen Kent
- RE: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Stephen Kent
- Re: replay field size Ran Atkinson
- Re: replay field size Steven Bellovin
- Re: replay field size Ran Atkinson
- Re: replay field size Jim Thompson
- Re: replay field size Bart Preneel