spf-discuss
[Top] [All Lists]

Re: MD5 HMAC HASH - 64 or 128 bits?

2004-02-11 03:14:35
On Wed, 11 Feb 2004, Daniel Roethlisberger wrote:

James Couzens <jcouzens(_at_)obscurity(_dot_)org> [2004-02-10/19:42]:
I would suggest that the final SRS specification should not define
the length of the cookie, nor the exact algorithm, so deployed
implementations can choose their own tradeoff between security and
address length.

However, recommendations must be made. It is very easy to totally barf up
a very nice crypto scheme by pushing the wrong things in the wrong order.  
Consider RSA with e=3 (cash registers, smartcards), replays with small
deltas (IPSec), RC4 with weak IVs (WEP) for a brief and pertinent history.

However, the comments below are correct: the hash is opaque and may remain 
so.

Of course it might still be a good idea to have some recommendations so
people don't use silly things like 1 byte checksums as cookie.

Oops! You got this bit already.

I'm of the opinion that choice is a good thing, but not lots of
choice.  I think 2, or 3 algorithms would suffice very nicely, perhaps
each one having its "benefit" and "drawback" so one can chose one that
suits their needs best and not worry about it wreaking havoc.

I would say, recommend using a HMAC, but have people use their favourite
hash function. It does not matter whether they use MD5, SHA-1, SHA-256
or something else.

If we have the ability to shorten it, I would be biased slightly against
MD5. It's a question of whether 6 bytes (out of 32?) of SHA1 is better
than 6 bytes (out of 22) of MD5, and whether either of these algorithms is
weaked by being prefix-only. I'll have to look up some crypto again (or
more likely, just ask someone!).

These recommendations will msot likely be accepted and will make it into 
tonight's release candidate.

S.

-- 
Shevek                                    http://www.anarres.org/
I am the Borg.                         http://www.gothnicity.org/