Re: Remove little-used algorithms from IKEv2

Dan McDonald <danmcd@east.sun.com> Thu, 14 March 2002 22:19 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g2EMJn425934; Thu, 14 Mar 2002 14:19:49 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id QAA06356 Thu, 14 Mar 2002 16:42:14 -0500 (EST)
Message-Id: <200203142153.g2ELrtDq022893@kebe.east.sun.com>
Subject: Re: Remove little-used algorithms from IKEv2
In-Reply-To: <2F3EC696EAEED311BB2D009027C3F4F405869A08@vhqpostal.verisign.com> from "Hallam-Baker, Phillip" at "Mar 14, 2002 12:32:33 pm"
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Thu, 14 Mar 2002 16:53:55 -0500
CC: ipsec@lists.tislabs.com
From: Dan McDonald <danmcd@east.sun.com>
Organization: Sun Microsystems, Inc. - Solaris Internet Engineering
X-Mailer: ELM [version 2.4ME+ PL66 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

> Any reason for keeping the MD5 algorithms given their somewhat compromised
> status?
> 
> MD5 and SHA are pretty close and share the same internal structure so I
> don't think we can really justify MD5 as a fallback to SHA-1, particularly
> in the light of the Dobbertin results.

Hmmm, I thought HMAC prevented these problems.  Here's a note from a w3c list
that forwards a conversation between Dobbertin and IPsec list regular Hugo
Krawczyk:

	http://lists.w3.org/Archives/Public/ietf-tls/1996AprJun/0111.html

MD5 is a far better peformer than SHA-1 - especially if you work around MD5's
poor assumptions that all-the-world's-an-Intel.

> We should anticipate that the AES based SHA-2 algorithms will appear in due
> course so it is not as if there would only be one algorithm

Now _this_ is a better point, but removing MD5 from IKE based on just
Dobbertin is not sufficient, IMHO.

Also, these proposed removals are for IKE only, not for AH/ESP, correct?
HMAC-MD5 is still quite sufficient for packet integrity, and like I said, it
smokes compared with SHA.

Perhaps we should be looking at UMAC for future AH/ESP secure hashes?

Dan