[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue with SIP - Need for Message-Authenticator

To: Barney Wolff <barney@databus.com>
Subject: Re: Issue with SIP - Need for Message-Authenticator
From: Nagi Reddy Jonnala <Nagi_Reddy.Jonnala@alcatel.be>
Date: Fri, 27 Aug 2004 15:39:57 +0200
Cc: Joseph Salowey <jsalowey@cisco.com>, "'Bernard Aboba'" <aboba@internaut.com>, "'Avi Lior'" <avi@bridgewatersystems.com>, "'Beck01, Wolfgang'" <BeckW@t-systems.com>, radiusext@ops.ietf.org
Organization: Alcatel Telecom
References: <Pine.LNX.4.56.0408260553070.25397@internaut.com> <00c701c48b8e$41d60b20$0300000a@amer.cisco.com> <20040826185636.GA47121@pit.databus.com>
Reply-to: Nagi_Reddy.Jonnala@alcatel.be

RIPv2 seem to be interested in HMAC-SHA1 and is described in the draft below.
The introduction section mentions that some governments insist on the use of
HMAC-SHA1 cryptographic mechanism. May be it is worth getting the author
opinions/comments about it.

http://www.ietf.org/internet-drafts/draft-rja-ripv2-auth-00.txt

regards
Nagi.

Barney Wolff wrote:

> On Thu, Aug 26, 2004 at 10:00:55AM -0700, Joseph Salowey wrote:
> > >
> > > Note that Message-Authenticator is based on HMAC-MD5.  Recent
> > > research has demonstrated collisions in MD5 (though not in
> > > HMAC-MD5), so that it may make sense to define a new
> > > attribute that uses a more highly regarded algorithm, such as
> > > HMAC-SHA1.
> >
> > [Joe] See
> > http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-01.txt, this
> > defines an attribute that can SHA for message authentication.
>
> As I read the chatter on the crypto list, it's premature to assume that
> SHA-1 will survive better than MD5, although it probably will.  Arguments
> have been made that HMAC-MD5 will not fall to MD5 attacks.  I'd suggest
> waiting at least a couple of weeks for the smoke to clear before acting.
>
> We do know that the RADIUS Authenticator has long been considered inferior
> to HMAC-MD5, and the recent issues may seal its fate.  It's therefore
> prudent to consider how to react when, or before, the authenticator is
> broken.  Certainly boxes that have sufficient cpu and codespace can use
> IPsec, as has already been suggested.  What, if anything, to do for/with
> boxes that cannot run IPsec is an open question.
>
> --
> Barney Wolff         http://www.databus.com/bwresume.pdf
> I'm available by contract or FT, in the NYC metro area or via the 'Net.
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: Issue with SIP - Need for Message-Authenticator
  - From: Bernard Aboba <aboba@internaut.com>
- RE: Issue with SIP - Need for Message-Authenticator
  - From: "Joseph Salowey" <jsalowey@cisco.com>
- Re: Issue with SIP - Need for Message-Authenticator
  - From: Barney Wolff <barney@databus.com>

Prev by Date: Comments on draft-sterman-aaa-sip-03
Next by Date: AW: Comments on draft-sterman-aaa-sip-03
Previous by thread: Re: Issue with SIP - Need for Message-Authenticator
Next by thread: RE: Issue with SIP - Need for Message-Authenticator
Index(es):
- Date
- Thread