SHA-256-128 Draft: Is this really required? Contradiction...
Russell Dietz <rdietz@hifn.com> Wed, 17 July 2002 07:46 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g6H7ktw04195; Wed, 17 Jul 2002 00:46:55 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id CAA21269 Wed, 17 Jul 2002 02:57:44 -0400 (EDT)
Message-ID: <D7D145EB4903D311985E00A0C9FC76FE02873412@SJCXCH01.hifn.com>
From: Russell Dietz <rdietz@hifn.com>
To: ipsec@lists.tislabs.com
Subject: SHA-256-128 Draft: Is this really required? Contradiction...
Date: Wed, 17 Jul 2002 00:14:52 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hello Folks, In reviewing the latest SHA-256 draft, "The HMAC-SHA-256-128 Algorithm and Its Use With IPsec", <draft-ietf-ipsec-ciph-sha-256-01.txt>, June 2002, I notice a contradiction and a point which I (and others) believe, eliminates the need for the document to progress, even as an experimental. In the draft, the authors state that... "HMAC-SHA-1-96 [HMAC-SHA] (Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH," RFC2404, November 1998.) provides sufficient security at a lower computational cost [then this SHA-2 draft]". ...the draft then states... "The goal of HMAC-SHA-256-128 is to ensure that the packet is authentic and cannot be modified in transit." ...this is the 'goal' of HMAC-SHA-1-96 as it stands today. In addition, while the new SHA-256 algorithm is definitely useful in other contexts, in fact there is no evidence that DRAFT-SHA-256 provides any meaningful additional cryptographic security over the HMAC-SHA-1-96 algorithm defined in RFC2404 and already in widespread use for packet authentication in IPSec. For all we know, quite the contrary may be true, as SHA-256 is a new transform and thus has seen considerably less public review so far than SHA1 has already received. In any case, it is extremely unlikely that HMAC-SHA1 will be the weak point in any system using IPSec. Hence, it is not clear that trying to improve its security makes any sense, given the costs and instability associated with such a change. Given this and the fact that SHA-256 is has no known cryptographic benefit to implementing this proposed standard, there is no reason, even on an experimental basis, for the IPSec WG to progress this document. Regards, Russell Dietz Hifn, Inc. 750 University Ave Los Gatos, CA, USA 95032-7695 Tel: +1 408 399-3623 pgp-fingerprint: CEE3 58B0 DD09 4EA5 7266 BF1E B5F6 4D1A 4AD1 65B4
- SHA-256-128 Draft: Is this really required? Contr… Russell Dietz
- RE: SHA-256-128 Draft: Is this really required? C… Andrew Krywaniuk
- Re: SHA-256-128 Draft: Is this really required? C… Uri Blumenthal
- Re: SHA-256-128 Draft: Is this really required? C… Housley, Russ