On Tue, Aug 06, 2024 at 12:31:21PM -0400, Michael Richardson wrote: > > Daniel Shiu <daniel.s...@arqit.uk> wrote: > > While working on cryptographic inventory tools, I noticed that the IKE > > authentication methos AUTH_HMAC_SHA1_96 (SHA1-based HMAC truncated to > > 96-bits) is permitted in IKEv2 per RFC 8247 (status MUST- according t > > Note, it's *HMAC* SHA1. > > > Have I missed the deprecation elsewhere, or is further action merited. > > HMAC consists of two passes of SHA1, and includes padding in such a way that > means that pre-image attacks where the attack text is longer than the > original does not work. > > So, I am not falling overmyself to deprecate HMAC-SHA1. > I'm happy to leave things as they are until a revision to 8247 is done. > Note that MUST- means that it is already on it's "way down"
The truncation to 96 bits is probably worth a bit of worry in this era (though not an extreme amount of worry). Note that Kerberos for a long time only had AES-CBC-HMAC-SHA1-96 as its strongest enctype but published RFC 8009 back in 2016 to rectify that (with both a longer authentication tag and the more modern hash for HMAC), and as I understand it the new enctype has gotten pretty good uptake. At the time, the truncated tag was far more of a concern than the SHA-1 usage (in HMAC). -Ben _______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
