[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Faster, stronger MACs
From: "D. J. Bernstein" <djb () cr ! yp ! to>
Date: 1999-06-26 0:07:53
[Download RAW message or body]
Many message authentication systems compute a 128-bit authenticator for
a message m as follows:
keyed hash function keyed cryptographic function
m -------------------> 128 bits ----------------------------> 128 bits
There is a proof that any system of this type is secure against adaptive
chosen-message attacks, provided that
* the cryptographic function is ``unpredictable''---this is a
standard assumption about block ciphers, keyed MD5, etc.---and
* the hash function is ``universal.''
For example, NMAC-MD5 is a system in this class, using keyed MD5 with
variable-length input as the hash function, and keyed MD5 with
fixed-length input as the cryptographic function. (HMAC-MD5 is the same
as NMAC-MD5 except that the two keys are derived from a single key.)
There are, however, better systems in this class:
* Some 128-bit hash functions are _provably_ universal. You might
guess that provable security comes at the expense of speed or key
size; however, I have code for a simple universal 128-bit hash
function, with a 128-bit key, that's _faster than MD5_ on the
Pentium, Pentium II, UltraSPARC, and other popular chips.
* When unique message numbers are available---for replay prevention,
for example---they can be fed into the cryptographic function. The
result is a quantifiable improvement in security.
See http://pobox.com/~djb/hash127/faq.html for further details.
I don't see a pressing need to eliminate HMAC from situations where its
performance hasn't caused problems. However, faster MACs would be a
useful option for people running busy servers.
---Dan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic