Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt
Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 22 November 2001 23:30 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fAMNUw809277; Thu, 22 Nov 2001 15:30:58 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA19430 Thu, 22 Nov 2001 17:24:56 -0500 (EST)
Date: Fri, 23 Nov 2001 00:34:31 +0200
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: ipsec list <ipsec@lists.tislabs.com>
cc: sheila.frankel@nist.gov, skelly@SonicWALL.com
Subject: Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt
In-Reply-To: <200111191329.IAA26802@ietf.org>
Message-ID: <Pine.GSO.4.21.0111221303170.11614-100000@ee.technion.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hi, I noticed the following text under the security considerations of this draft: The security provided by HMAC-SHA-256-96 is based upon the strength of HMAC and, to a lesser degree, the strength of SHA-256. At the time of this writing there are no practical cryptographic attacks against HMAC-SHA-256-96. This is incorrect. The security of HMAC-SHA-256-96 is FULLY dependent on the security of SHA-256-96 (and not the other way around). That's exactly the advantage of a well-analyzed algorithm (or mode) as HMAC: its security is GUARANTEED as long as the underlying hash function is secure (in the sense established in the HMAC paper, Crypto'96) Besides, given current (open literature!) state of cryptanalysis for SHA-1, using SHA-256 in the context of a MAC function (as in ESP) is overkill. In uses of HMAC as a prf for key derivation it may make some sense (for strong long-lived level of security) since the security of the derived keys may be needed also years from now. Hugo On Mon, 19 Nov 2001 Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the IP Security Protocol Working Group of the IETF. > > Title : The HMAC-SHA-256-96 Algorithm and Its Use With IPsec > Author(s) : S. Frankel, S. Kelly > Filename : draft-ietf-ipsec-ciph-sha-256-00.txt > Pages : 8 > Date : 16-Nov-01 > > Ths document describes the use of the HMAC algorithm in conjunction > with the SHA-256 algorithm as an authentication mechanism within the > context of the IPsec Authentication Header and the IPsec Encapsulat- > ing Security Payload. HMAC with SHA-256 provides data origin authen- > tication and integrity protection. This version of the HMAC-SHA-256 > authenticator specifies truncation to 96 bits, and is therefore named > HMAC-SHA-256-96. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ciph-sha-256-00.txt > > To remove yourself from the IETF Announcement list, send a message to > ietf-announce-request with the word unsubscribe in the body of the message. > > Internet-Drafts are also available by anonymous FTP. Login with the username > "anonymous" and a password of your e-mail address. After logging in, > type "cd internet-drafts" and then > "get draft-ietf-ipsec-ciph-sha-256-00.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-ietf-ipsec-ciph-sha-256-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. >
- I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.t… Hugo Krawczyk
- Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.t… Shoichi Sakane
- Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.t… Paul Koning
- Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.t… Bart Preneel
- Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.t… Steven M. Bellovin
- Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.t… Bart Preneel