Options

Hash Functions in IPsec, MD5 vs. SHA1 both at 96Bits

AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
Morning Folks,

According to RFC 2403 and 2404 IPSEC truncates both MD5 and SHA1 hashes to 96bits (as defined in RFC 2104...yes I've been checking numbers....and quoting them as my scapegoat in case this is all wrong ;) ). From what I understand the biggest threat to hashing is not brute force but mathematical collisions. There's been a lot of publicity about such weaknesses in MD5 and I know they exist in just about any Hash algorithm simply by their nature, but for whatever reason SHA1 either hasn't had as many exploits found or they simply weren't publicised widely. My question though - Is SHA1 when truncated under IPSEC to the same 96bits as MD5 inherently more secure due to less collision exploits against the algorithm, or does that even matter i?

Cheers.
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?

Comments

  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Hmmm, good question, I'm going to need to look into this more icon_eek.gif

    One would think IPSec uses the whole hash with sha-1 (and other stronger hashing algorithms), but it would seem the RFC says otherwise.
    The only easy day was yesterday!
  • Options
    keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    Ahriakin wrote:
    Morning Folks,

    According to RFC 2403 and 2404 IPSEC truncates both MD5 and SHA1 hashes to 96bits (as defined in RFC 2104...yes I've been checking numbers....and quoting them as my scapegoat in case this is all wrong ;) ). From what I understand the biggest threat to hashing is not brute force but mathematical collisions. There's been a lot of publicity about such weaknesses in MD5 and I know they exist in just about any Hash algorithm simply by their nature, but for whatever reason SHA1 either hasn't had as many exploits found or they simply weren't publicised widely. My question though - Is SHA1 when truncated under IPSEC to the same 96bits as MD5 inherently more secure due to less collision exploits against the algorithm, or does that even matter i?

    Cheers.

    I think the major difference you're looking for here is the rounding functions. MD5 and SHA1 are not extremely different in design principle(Ron Rivest). Both produce 32 bit blocks, but MD5 uses 4 rounds and SHA1 uses 5. This process happens BEFORE the truncation occurs, so the chances of collisions are still less with SHA1. I guess you have to think about what's actually truncated here. SHA1-HMAC-96 with a 160 bit key is what I'm assuming you're referring to in comparison to MD5-HMAC-96 with a 128 bit key? You would also have to factor in what kind of attacks you're concerned about as well. Also there are other pieces and variables that ultimately help determine the final "secureness". Bottom line is trying to assign a "security value" based off nothing but truncating would certainly be an over-simplification. Unless you drop to the lower levels like 30, which would at that point begin to actually have a real serious impact regardless of everything else.

    Now I'm getting a headache trying to remember this. icon_rolleyes.gif
  • Options
    JDMurrayJDMurray Admin Posts: 13,050 Admin
    There's actually no harm in mathematical hashing collisions unless there is a possibility that a specific collision can be used for a practical exploit. The odds of that happening are far less that the possibility of any mathematical collisions occurring at all.
  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Great info. guys thanks.

    Keatron - http://www.anacin.com/ , now don't say I don't give back icon_lol.gif
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Options
    JDMurrayJDMurray Admin Posts: 13,050 Admin
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I guess the bigger question I had when it was raised is not that there are truncated hash algorithms (SHA1-HMAC-96 and MD5-HMAC-96) but does IPSec always truncate them? The RFC says SHA1-HMAC-96 and MD5-HMAC-96 must be supported but it also says they CAN be truncated (implying they don't need to be truncated when using IPSec).
    The only easy day was yesterday!
  • Options
    keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    dtlokee wrote:
    I guess the bigger question I had when it was raised is not that there are truncated hash algorithms (SHA1-HMAC-96 and MD5-HMAC-96) but does IPSec always truncate them? The RFC says SHA1-HMAC-96 and MD5-HMAC-96 must be supported but it also says they CAN be truncated (implying they don't need to be truncated when using IPSec).

    Ok, to answer that question it's no. It will depend on your implementation (and in most cases the vendor). Keep in mind IPSec is a generic term and there are many different vendor specific versions.

    Thanks for the meds guys!!
Sign In or Register to comment.