[1090] in Kerberos_V5_Development
Re: 3des question
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Wed Apr 24 21:40:45 1996
To: perry@piermont.com
Cc: basch@lehman.com, krbdev@MIT.EDU
In-Reply-To: Your message of "Thu, 18 Apr 1996 10:03:02 EDT."
<199604181403.KAA08241@jekyll.piermont.com>
Date: Wed, 24 Apr 1996 21:39:46 EDT
From: Marc Horowitz <marc@MIT.EDU>
In message <199604181403.KAA08241@jekyll.piermont.com>, "Perry E. Metzger" <perry@piermont.com> writes:
>> The 1828 mechanism was originally proposed by Hugo, but he has since
>> come up with a much stronger MAC called HMAC which is also based on
>> MD5 or SHA. If you are looking for a good hash, I strongly suggest
>> looking at HMAC, especially the variants where you only provide part
>> of the hash and thus frustrate brute force cracks. Check out Hugo's
>> internet drafts on the subject. There is now a variant where you XOR
>> with the pad instead of simply padding but it makes no security
>> difference...
Ok, I've read Hugo's two drafts on the subject, and exchanged some
email with him. The short form is that it requires 2^64 messages
signed with the same key to be able to forge future signatures.
Kerberos's daily (or even weekly if you like long tickets) rekeying is
plenty to avoid this.
Therefore, I propose that a new (mandatory for des3 and optional for
des) hash be added to kerb5gss, and that this hash be HMAC-MD5 as
described in draft-ietf-ipsec-hmac-md5-00.txt, or the RFC form of this
i-d when it is promoted.
This does leave us with the problem that the current hack of using the
checksum as an IV to the sequence number calculation seems like less
of a good idea with triple des. I've run this by Hugo, too, and he
says he's busy now, but will think about the question and answer it
sometime.
Marc
