Re: [tcpm] Guidance on selection of MAC algorithms for TCP-AO
Eric Rescorla <ekr@networkresonance.com> Tue, 18 November 2008 20:16 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01C9F3A67D6; Tue, 18 Nov 2008 12:16:59 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FCD53A68BF for <tcpm@core3.amsl.com>; Tue, 18 Nov 2008 12:16:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.395
X-Spam-Level:
X-Spam-Status: No, score=-0.395 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EcXYvfGPqkdU for <tcpm@core3.amsl.com>; Tue, 18 Nov 2008 12:16:53 -0800 (PST)
Received: from kilo.rtfm.com (unknown [130.129.95.170]) by core3.amsl.com (Postfix) with ESMTP id 100543A67D0 for <tcpm@ietf.org>; Tue, 18 Nov 2008 12:16:53 -0800 (PST)
Received: from kilo-2.local (localhost [127.0.0.1]) by kilo.rtfm.com (Postfix) with ESMTP id 0D9DE75D25F; Tue, 18 Nov 2008 14:16:52 -0600 (CST)
Date: Tue, 18 Nov 2008 14:16:51 -0600
From: Eric Rescorla <ekr@networkresonance.com>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <49231C13.10303@isi.edu>
References: <49231C13.10303@isi.edu>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Message-Id: <20081118201652.0D9DE75D25F@kilo.rtfm.com>
Cc: Russ Housley <housley@vigilsec.com>, tcpm Extensions WG <tcpm@ietf.org>, pasi.eronen@nokia.com, Tim Polk <tim.polk@nist.gov>
Subject: Re: [tcpm] Guidance on selection of MAC algorithms for TCP-AO
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
At Tue, 18 Nov 2008 11:48:35 -0800, Joe Touch wrote: > TCP-AO needs to make two decisions with respect to MAC algorithms: > select algorithms for the current specification; and establish > criteria for specification of MAC algorithms in the future. To be > honest, there are numerous MAC algorithms that could satisfy TCP-AO's > security requirements. Pragmatic issues like performance and current > code bases need to be factored in as well. > > The two most attractive options for generating the MAC are AES 128 in > the cipher-based message authentication code (CMAC) mode and the > SHA-1 Hash-based Message Authentication Code (HMAC). Both options > provide a high level of security and efficiency. The AES 128 CMAC is > potentially more efficient, particularly in hardware, but SHA-1 HMAC > is more widely used in Internet protocols and in most cases could be > supported with little or no additional code. > > Another aspect of the algorithm selection is whether the tags should > be truncated. CMAC-AES-128 produces a 128 bit MAC, and HMAC SHA-1 > produces a 160 bit result. The MAC can be truncated to 96 bits > provide a reasonable tradeoff between security and message size. So, > the algorithms that were in draft-bonica are entirely reasonable > choices: AES-128-CMAC-96 and HMAC-SHA-1-96. For interoperability, > the working group needs to either specify one MAC algorithm as a MUST > and the other as a SHOULD, or specify MUST implement for both > algorithms. > > Note that the security issues driving the migration from SHA-1 to > SHA-256 for digital signatures do not apply here. The security > strength of SHA-1 HMACs should be sufficient for the foreseeable > future. I'm sorry to be difficult, but I don't think that this is quite so clear. The relevant cite here is: Jongsung Kim and Alex Biryukov and Bart Preneel and Seokhie Hong, "On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1", SCN 2006. http://eprint.iacr.org/2006/187 http://www.springerlink.com/content/00w4v62651001303/ While it's clear that the attacks aren't practical on SHA-1, or probably MD5, it's not like the types of analysis people are mounting don't potentially pose a concern for HMAC forgery if they were significantly improved, so I don't think that it's fair to say that the "security issues driving the migration... don't apply here" -Ekr _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Guidance on selection of MAC algorithms fo… Joe Touch
- Re: [tcpm] Guidance on selection of MAC algorithm… Eric Rescorla
- Re: [tcpm] Guidance on selection of MAC algorithm… Gregory M. Lebovitz
- Re: [tcpm] Guidance on selection of MAC algorithm… lars.eggert