Re: Last Call: HMAC-IP (Truncated HMAC-SHA)
William Allen Simpson <wsimpson@greendragon.com> Sun, 11 August 1996 21:44 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa24343; 11 Aug 96 17:44 EDT
Received: by relay.hq.tis.com; id RAA07293; Sun, 11 Aug 1996 17:47:33 -0400
Received: from sol.hq.tis.com(192.33.112.100) by relay.tis.com via smap (V3.1.1) id xma007291; Sun, 11 Aug 96 17:47:05 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA21490; Sun, 11 Aug 96 17:46:30 EDT
Received: by relay.hq.tis.com; id RAA07288; Sun, 11 Aug 1996 17:47:03 -0400
Received: from merit.edu(35.1.1.42) by relay.tis.com via smap (V3.1.1) id xma007283; Sun, 11 Aug 96 17:46:48 -0400
Received: from Bill.Simpson.DialUp.Mich.Net (pm002-21.dialip.mich.net [141.211.7.157]) by merit.edu (8.7.5/merit-2.0) with SMTP id RAA02117 for <ipsec@TIS.COM>; Sun, 11 Aug 1996 17:49:03 -0400 (EDT)
Date: Sun, 11 Aug 1996 21:37:26 +0000
From: William Allen Simpson <wsimpson@greendragon.com>
Message-Id: <5409.wsimpson@greendragon.com>
To: iesg@ietf.org
Cc: ipsec@TIS.COM
Subject: Re: Last Call: HMAC-IP (Truncated HMAC-SHA)
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
I had proposed shortening the length of the SHA output last winter.
However, there was strong consensus on the ipsec-dev list that multiple
lengths be supported. And thus, the language in draft-simpson-ah-sha-
kdp-00.txt. I urge these authors to insert this facility in their draft:
Therefore, several options are available for data alignment (most
preferred to least preferred):
1) only the most significant 128-bits (16 octets) of output are used.
2) an additional 32-bits (4 octets) of padding is added before the
SHA1 output.
3) an additional 32-bits (4 octets) of padding is added after the
SHA1 output.
4) the SHA1 output is variably bit-positioned within 192-bits (24
octets).
The size and position of the output are negotiated as part of the key
management. Padding bits are filled with unspecified implementation
dependent (random) values, which are ignored on receipt.
Discussion:
Although truncation of the output for alignment purposes may
appear to reduce the effectiveness of the algorithm, some analysts
of attack verification suggest that this may instead improve the
overall robustness [PO95a].
...
[PO95a] Preneel, B., and van Oorshot, P., "MDx-MAC and Building Fast
MACs from Hash Functions", Advances in Cryptology -- Crypto
'95 Proceedings, Santa Barbara, California, August 1995.
> Date: Fri, 9 Aug 1996 23:37:23 +0200 (METDST)
> From: Bart Preneel <Bart.Preneel@esat.kuleuven.ac.be>
> I would not even see a problem to shorten the SHA-1 output to
> 64 bits. When considering attack scenarios, I would be much more
> worried about an attacker who uses the known text-MAC pairs to
> obtain information on the key than about an attacker who tries to
> predict some bits to forge a MAC for two reasons:
> - a key recovery is more serious than a forgery
> - for concrete hash functions such as MD5 and SHA-1, I feel
> that the first attack is more likely (just intuition).
>
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
- Re: Last Call: HMAC-IP (Truncated HMAC-SHA) H.Krawczyk
- Re: Last Call: HMAC-IP (Truncated HMAC-SHA) Bart Preneel
- Re: Last Call: HMAC-IP (Truncated HMAC-SHA) William Allen Simpson