Benjamin Kaduk <ka...@mit.edu> wrote:
> On Tue, Aug 06, 2024 at 12:31:21PM -0400, Michael Richardson wrote:
>>
>> Daniel Shiu <daniel.s...@arqit.uk> wrote:
>> > While working on cryptographic inventory tools, I noticed that the IKE
>> > authentication methos AUTH_HMAC_SHA1_96 (SHA1-based HMAC truncated to
>> > 96-bits) is permitted in IKEv2 per RFC 8247 (status MUST- according t
>>
>> Note, it's *HMAC* SHA1.
>>
>> > Have I missed the deprecation elsewhere, or is further action merited.
>>
>> HMAC consists of two passes of SHA1, and includes padding in such a way
that
>> means that pre-image attacks where the attack text is longer than the
>> original does not work.
>>
>> So, I am not falling overmyself to deprecate HMAC-SHA1.
>> I'm happy to leave things as they are until a revision to 8247 is done.
>> Note that MUST- means that it is already on it's "way down"
> The truncation to 96 bits is probably worth a bit of worry in this era
> (though not an extreme amount of worry). Note that Kerberos for a long
When we agreed to the truncation back in 1996-ish, an argument was that the
lack of the full hash output meant that (brute-force) attackers had to attack
each packet on their own. They couldn't be sure they had actually found the
key based upon a single packet match.
I think Hugo made this argument.
So, the truncation was considered a feature.
HMAC has been extremely powerful thing.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
