[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-ipsec-ciph-aes-xcbc-mac - The

To: Thomas Narten <narten@us.ibm.com>
Subject: Re: Evaluation: draft-ietf-ipsec-ciph-aes-xcbc-mac - The
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Thu, 23 Jan 2003 12:19:22 -0500
Cc: iesg-secretary@ietf.org, iesg@ietf.org

In message <200301231709.h0NH9hq08672@cichlid.adsl.duke.edu>, Thomas Narten wri
tes:
>I'm a no ob, but have one nit:
>
>   tion.  The classic CBC-MAC algorithm, while secure for messages of a
>   pre-selected fixed length, has been shown to be insecure across mes-
>   sages of varying lengths such as the type found in typical IP data-
>   grams.  In fact, it is trivial to produce forgeries for a second mes-
>   sage given the MAC of a prior message.
>
>Might be good to include a reference to some of the work mentioned
>above.
>

There's no one great source -- the references I checked described it as 
"well-known" -- but the nature of the attack is sketched in the 
document's cite CBC-MAC-1.  (Aside: that paper says, up front, "CBC MAC 
is secure" -- but buried in Section 5 is a description of this "well-
known" problem.  Mumble.)

You're right; it would help to include a pointer to section 5 in the 
right spot of the i-d.


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Prev by Date: Re: Last Call: CR-LDP Extensions for ASON to Informational
Next by Date: RE: Last Call: CR-LDP Extensions for ASON to Informational
Previous by thread: Re: Evaluation: draft-ietf-ipsec-ciph-aes-xcbc-mac - The
Next by thread: RE: Evaluation: draft-ietf-aaa-diameter - Diameter Base Protocol to Proposed Standard
Index(es):
- Date
- Thread