[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue with SIP - Need for Message-Authenticator
RIPv2 seem to be interested in HMAC-SHA1 and is described in the draft below.
The introduction section mentions that some governments insist on the use of
HMAC-SHA1 cryptographic mechanism. May be it is worth getting the author
opinions/comments about it.
http://www.ietf.org/internet-drafts/draft-rja-ripv2-auth-00.txt
regards
Nagi.
Barney Wolff wrote:
> On Thu, Aug 26, 2004 at 10:00:55AM -0700, Joseph Salowey wrote:
> > >
> > > Note that Message-Authenticator is based on HMAC-MD5. Recent
> > > research has demonstrated collisions in MD5 (though not in
> > > HMAC-MD5), so that it may make sense to define a new
> > > attribute that uses a more highly regarded algorithm, such as
> > > HMAC-SHA1.
> >
> > [Joe] See
> > http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-01.txt, this
> > defines an attribute that can SHA for message authentication.
>
> As I read the chatter on the crypto list, it's premature to assume that
> SHA-1 will survive better than MD5, although it probably will. Arguments
> have been made that HMAC-MD5 will not fall to MD5 attacks. I'd suggest
> waiting at least a couple of weeks for the smoke to clear before acting.
>
> We do know that the RADIUS Authenticator has long been considered inferior
> to HMAC-MD5, and the recent issues may seal its fate. It's therefore
> prudent to consider how to react when, or before, the authenticator is
> broken. Certainly boxes that have sufficient cpu and codespace can use
> IPsec, as has already been suggested. What, if anything, to do for/with
> boxes that cannot run IPsec is an open question.
>
> --
> Barney Wolff http://www.databus.com/bwresume.pdf
> I'm available by contract or FT, in the NYC metro area or via the 'Net.
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>