Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

Hi,

I noticed the following text under the security considerations of this
draft:
   
   The security provided by HMAC-SHA-256-96 is based upon the strength
   of HMAC and, to a lesser degree, the strength of SHA-256.  At the
   time of this writing there are no practical cryptographic attacks
   against HMAC-SHA-256-96.

This is incorrect. The security of HMAC-SHA-256-96 is FULLY dependent on
the security of SHA-256-96 (and not the other way around).  That's exactly
the advantage of a well-analyzed algorithm (or mode) as HMAC: its security
is GUARANTEED as long as the underlying hash function is secure (in the
sense established in the HMAC paper, Crypto'96)

Besides, given current (open literature!) state of cryptanalysis for
SHA-1, using SHA-256 in the context of a MAC function (as in ESP) is
overkill. In uses of HMAC as a prf for key derivation it may make some
sense (for strong long-lived level of security) since the security of
the derived keys may be needed also years from now.

Hugo

On Mon, 19 Nov 2001 Internet-Drafts@ietf.org wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IP Security Protocol Working Group of the IETF.
> 
> 	Title		: The HMAC-SHA-256-96 Algorithm and Its Use With IPsec
> 	Author(s)	: S. Frankel, S. Kelly
> 	Filename	: draft-ietf-ipsec-ciph-sha-256-00.txt
> 	Pages		: 8
> 	Date		: 16-Nov-01
> 	
> Ths document describes the use of the HMAC algorithm in conjunction
> with the SHA-256 algorithm as an authentication mechanism within the
> context of the IPsec Authentication Header and the IPsec Encapsulat-
> ing Security Payload. HMAC with SHA-256 provides data origin authen-
> tication and integrity protection. This version of the HMAC-SHA-256
> authenticator specifies truncation to 96 bits, and is therefore named
> HMAC-SHA-256-96.
> 
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ciph-sha-256-00.txt
> 
> To remove yourself from the IETF Announcement list, send a message to 
> ietf-announce-request with the word unsubscribe in the body of the message.
> 
> Internet-Drafts are also available by anonymous FTP. Login with the username
> "anonymous" and a password of your e-mail address. After logging in,
> type "cd internet-drafts" and then
> 	"get draft-ietf-ipsec-ciph-sha-256-00.txt".
> 
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html 
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> 
> 
> Internet-Drafts can also be obtained by e-mail.
> 
> Send a message to:
> 	mailserv@ietf.org.
> In the body type:
> 	"FILE /internet-drafts/draft-ietf-ipsec-ciph-sha-256-00.txt".
> 	
> NOTE:	The mail server at ietf.org can return the document in
> 	MIME-encoded form by using the "mpack" utility.  To use this
> 	feature, insert the command "ENCODING mime" before the "FILE"
> 	command.  To decode the response(s), you will need "munpack" or
> 	a MIME-compliant mail reader.  Different MIME-compliant mail readers
> 	exhibit different behavior, especially when dealing with
> 	"multipart" MIME messages (i.e. documents which have been split
> 	up into multiple messages), so check your local documentation on
> 	how to manipulate these messages.
> 		
> 		
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>