Re: Fw: [Ipsec] I-D ACTION:draft-kelly-ipsec-ciph-sha2-00.txt

["Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>]

On Fri, 29 Sep 2006 13:01:24 -0400 (EDT), "Scott G. Kelly"
<s.kelly@xxxxxxxxxxxxx> wrote:

> Please review and comment on this draft. It's a revamped version of
> draft-ietf-ipsec-ciph-sha2-01.txt, resurrected at Russ's request.  


I found 2.1.1 + 2.1.2 confusing.  2.1.1 says you can't have keys of other
than length 256.  I might quarrel with that -- I'd definitely have used
SHOULD NOT instead of MUST NOT -- but 2.1.2 tells you what to do if your
key isn't 256 bits long.  I perceive no increase in security from padding
a short key with zeros, nor do I understand why it's better to do a
SHA-256 reduction on a long key before using it with HMAC rather than
simply using the longer key directly.  And the notion of a variable key
length function where the variable is constrained to exactly one value is
a bit strange.

You might want to cite RFC 4634 as an Informative reference, since it has
code, and 4231 since it also gives definitions and code points for other
uses of HMAC-SHA-256.

Stepping back a bit, I personally would rather see a single RFC describing
how to use a number of different hash functions with HMAC.  I could almost
use a set of text editor substitution patterns to change this draft from
SHA-256 to SHA-384 or SHA-512.  The core of such a document would be a
table listing acceptable key sizes and truncation sizes for each function
considered.  An appendix could list test vectors.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec