| Re: Re: SHA-0 Broken | <– Date –> <– Thread –> |
From: Florent Bersani (florent.bersani rd.francetelecom.fr)
|
|
| Date: Fri, 10 Sep 2004 03:28:23 -0400 (EDT) | |
Nicolas Williams wrote:
<>See Section 2.2 of EAP-PSK:
key and takes as underlying crypto primitive AES. Nothing more, just AES.Have a look at EAP-PSK: This is an EAP method which is based on a pre-shared
More precisely, AES-128 is used for
* mutual authentication * session key derivation (via modified counter mode)
* encrypted communication through the secure tunnel (aes in eax mode, hash is OMAC)
And what if AES is broken tomorrow? Inpractical attacks exist, but do
they cast a shadow on AES' future?
"Other block ciphers could easily be proposed for EAP-PSK, as it does not intricately depend on AES-128. The only parameters of AES-128 that EAP-PSK depends on, are its block size (16 bytes) and its key size (16 bytes). For the sake of simplicity, it has however been chosen to restrict to a single mandatory block cipher and not allow the negotiation of other block ciphers. In case AES-128 is deprecated for security reasons, EAP-PSK should also be deprecated and a cut-and-paste EAP-PSK' should be defined with another block cipher. This EAP-PSK' should not be backward compatible with EAP-PSK because of the security issues with AES-128. EAP-PSK' should therefore use a different EAP-Request/Response Type number. With the EAP-Request/Response Type number space structure defined in [2] (Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H. Levkowetz, Extensible Authentication Protocol (EAP), June 2004). <#RFC3748>, this should not be a problem."
Why EAX? Why not GCM?See Section 2.2.3 of EAP-PSK
"EAX was mainly chosen because:
* It strongly relies on OMAC in its design and OMAC1, a variant of
OMAC, had already been chosen in EAP-PSK for the authentication part.
* Its design is simple.
* It enjoys a security proof.
* It is free of any Intellectual Property Rights claims."Earlier version of EAP-PSK mentioned in Section 2.2.3:
"There are currently many other proposed modes for authenticated encryption with associated data - including Intellectual Property Rights free ones, like CCM, CWC or GCM (please refer to the NIST "Modes of operation for symmetric key block ciphers" web page <http://www.csrc.nist.gov/CryptoToolkit/modes/> for more details)."
As a matter of fact I know one of the GCM designers and I appreciate GCM very very much.
It is true that EAP-PSK could use GMAC instead of OMAC and GCM instead of EAX, which would probably improve the performance of some computations (a factor 2 could be expected from software benchmarks).
OMAC was chosen because it seemed to have the favors of NIST and at that time GCM was at its beginnings.
I did not receive many requests to change the modes of operation, that's why given the point where EAP-PSK is now, I am reluctant to make changes... but that could change if I feel compelling arguments to do so.
Any comments welcome, Florent
- Re: SHA-0 Broken, (continued)
-
Re: SHA-0 Broken Bernard Aboba, August 17 2004
- Re: Re: SHA-0 Broken Mohamad Badra, August 17 2004
-
Re: SHA-0 Broken Thomas Otto, August 17 2004
-
Re: Re: SHA-0 Broken Nicolas Williams, August 17 2004
- Re: Re: SHA-0 Broken Florent Bersani, September 10 2004
-
Re: Re: SHA-0 Broken Nicolas Williams, August 17 2004
- RE: Re: SHA-0 Broken Joseph Salowey, August 17 2004
-
Re: Re: SHA-0 Broken Mohamad Badra, August 18 2004
- Re: Re: SHA-0 Broken Florent Bersani, September 10 2004
- Re: Re: SHA-0 Broken Mohamad Badra, September 10 2004
-
Re: SHA-0 Broken Bernard Aboba, August 17 2004
Results generated by Tiger Technologies using MHonArc.