IETF Logo Mail Archive

Re: [IETF-PKIX] mandatory PasswordBasedMac

"David P. Kemp" <dpkemp@MISSI.NCSC.MIL> Tue, 27 January 1998 19:51 UTC

Return-Path: <owner-ietf-pkix@LISTS.TANDEM.COM>
Received: from consensus.com (mail.consensus.com [157.22.240.7]) by sparky.wovenword.com (8.8.5/8.8.5) with ESMTP id LAA11255 for <tim-mail-work-lists@wovenword.com>; Tue, 27 Jan 1998 11:51:36 -0800
Received: from talia.mis.tandem.com (130.252.226.155) by consensus.com with ESMTP (Eudora Internet Mail Server 1.2); Tue, 27 Jan 1998 12:54:59 -0700
Received: from suntan (suntan.tandem.com [192.216.221.8]) by talia.mis.tandem.com (8.8.7/8.8.7) with ESMTP id LAA08841; Tue, 27 Jan 1998 11:51:05 -0800 (PST)
Received: from LISTS.TANDEM.COM by LISTS.TANDEM.COM (LISTSERV-TCP/IP release 1.8c) with spool id 24089 for IETF-PKIX@LISTS.TANDEM.COM; Tue, 27 Jan 1998 11:50:53 -0800
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.52.1]) by Tandem.com (8.8.8/2.0.1) with ESMTP id LAA07478 for <IETF-PKIX@LISTS.TANDEM.COM>; Tue, 27 Jan 1998 11:50:50 -0800 (PST)
Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id OAA21273 for <IETF-PKIX@LISTS.TANDEM.COM>; Tue, 27 Jan 1998 14:50:49 -0500 (EST)
Received: from depot.missi.ncsc.mil (depot.missi.ncsc.mil [144.51.60.1]) by stingray.missi.ncsc.mil with ESMTP id OAA21269 for <IETF-PKIX@LISTS.TANDEM.COM>; Tue, 27 Jan 1998 14:50:48 -0500 (EST)
Received: from argon.ncsc.mil (argon.missi.ncsc.mil [144.51.56.1]) by depot.missi.ncsc.mil (8.6.12/8.6.9) with ESMTP id OAA08136 for <IETF-PKIX@LISTS.TANDEM.COM>; Tue, 27 Jan 1998 14:47:43 -0500
Received: by argon.ncsc.mil (SMI-8.6/SMI-SVR4) id OAA04132; Tue, 27 Jan 1998 14:48:42 -0500
X-Sun-Charset: US-ASCII
Message-ID: <199801271948.OAA04132@argon.ncsc.mil>
Date: Tue, 27 Jan 1998 14:48:42 -0500
Reply-To: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@LISTS.TANDEM.COM>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@LISTS.TANDEM.COM>
From: "David P. Kemp" <dpkemp@MISSI.NCSC.MIL>
Subject: Re: [IETF-PKIX] mandatory PasswordBasedMac
To: IETF-PKIX@LISTS.TANDEM.COM
Status: 

> From: Bob
>
> > From: Carlisle
> >
> >This seems to be two votes in favor of HMAC-SHA-1 and no disagreements
> >so far.  I don't mind specifying this as the mandatory parameter in
> >PasswordBasedMac, but let me repeat Nada's question:
> >
> >>BTW, what is the object identifier for HMAC-SHA-1 (and other HMACs)? Does
> >>anybody have a pointer to some document specifying it?
> >
> >I need this as soon as possible (i.e., within the next day or two).  If
> >an OID doesn't exist, should PKIX define one?
>
> I don't know the OID, but I believe that one was defined for SET, if
> someone has that spec.
>
> Bob



The IANA has registered OIDs for HMAC mechanisms as used by IPSEC:

  ftp://ftp.isi.edu/in-notes/iana/assignments/smi-numbers

iso(1) org(3) dod(6) internet(1) security(5) mechanism(5) ipsec(8)
isakmpOakley(1) HMAC-md5(1)  [1.3.6.1.5.5.8.1.1]
iso(1) org(3) dod(6) internet(1) security(5) mechanism(5) ipsec(8)
isakmpOakley(1) HMAC-SHA(2)  [1.3.6.1.5.5.8.1.2]

The reference in the IANA document [Thayer] is missing, but it refers
to the IPSEC document roadmap, which in turn references "The Use of
HMAC-SHA-1-96 within ESP and AH",

  ftp://ietf.org/internet-drafts/draft-ietf-ipsec-auth-hmac-sha196-01.txt

which in turn references RFC 2104 "HMAC: Keyed Hashing for Message
Authentication", the actual algorithm description.

Note that these OIDs refer to a truncated HMAC where only the first
96 bits of the outer hash output are used - this truncation is described
as a security advantage (it wasn't done solely to cram the MAC into
the IPSEC packets).

v2.23.0 | Report a Bug | By Email