I recall an argument that a truncated auth tag increased the likelihood of collision (though still within the acceptable bound), and made the verification of the auth key guess harder.
-- V/R, Uri On 8/6/24, 13:52, "Michael Richardson" <mcr+i...@sandelman.ca <mailto:mcr+i...@sandelman.ca>> wrote: Benjamin Kaduk <ka...@mit.edu <mailto:ka...@mit.edu>> wrote: > On Tue, Aug 06, 2024 at 12:31:21PM -0400, Michael Richardson wrote: >> >> Daniel Shiu <daniel.s...@arqit.uk <mailto:daniel.s...@arqit.uk>> wrote: >> > While working on cryptographic inventory tools, I noticed that the IKE >> > authentication methos AUTH_HMAC_SHA1_96 (SHA1-based HMAC truncated to >> > 96-bits) is permitted in IKEv2 per RFC 8247 (status MUST- according t >> >> Note, it's *HMAC* SHA1. >> >> > Have I missed the deprecation elsewhere, or is further action merited. >> >> HMAC consists of two passes of SHA1, and includes padding in such a way that >> means that pre-image attacks where the attack text is longer than the >> original does not work. >> >> So, I am not falling overmyself to deprecate HMAC-SHA1. >> I'm happy to leave things as they are until a revision to 8247 is done. >> Note that MUST- means that it is already on it's "way down" > The truncation to 96 bits is probably worth a bit of worry in this era > (though not an extreme amount of worry). Note that Kerberos for a long When we agreed to the truncation back in 1996-ish, an argument was that the lack of the full hash output meant that (brute-force) attackers had to attack each packet on their own. They couldn't be sure they had actually found the key based upon a single packet match. I think Hugo made this argument. So, the truncation was considered a feature. HMAC has been extremely powerful thing. -- Michael Richardson <mcr+i...@sandelman.ca <mailto:mcr+i...@sandelman.ca>> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
