Hash Functions in IPsec, MD5 vs. SHA1 both at 96Bits
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Morning Folks,
According to RFC 2403 and 2404 IPSEC truncates both MD5 and SHA1 hashes to 96bits (as defined in RFC 2104...yes I've been checking numbers....and quoting them as my scapegoat in case this is all wrong
). From what I understand the biggest threat to hashing is not brute force but mathematical collisions. There's been a lot of publicity about such weaknesses in MD5 and I know they exist in just about any Hash algorithm simply by their nature, but for whatever reason SHA1 either hasn't had as many exploits found or they simply weren't publicised widely. My question though - Is SHA1 when truncated under IPSEC to the same 96bits as MD5 inherently more secure due to less collision exploits against the algorithm, or does that even matter i?
Cheers.
According to RFC 2403 and 2404 IPSEC truncates both MD5 and SHA1 hashes to 96bits (as defined in RFC 2104...yes I've been checking numbers....and quoting them as my scapegoat in case this is all wrong
). From what I understand the biggest threat to hashing is not brute force but mathematical collisions. There's been a lot of publicity about such weaknesses in MD5 and I know they exist in just about any Hash algorithm simply by their nature, but for whatever reason SHA1 either hasn't had as many exploits found or they simply weren't publicised widely. My question though - Is SHA1 when truncated under IPSEC to the same 96bits as MD5 inherently more secure due to less collision exploits against the algorithm, or does that even matter i?Cheers.
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Comments
One would think IPSec uses the whole hash with sha-1 (and other stronger hashing algorithms), but it would seem the RFC says otherwise.
I think the major difference you're looking for here is the rounding functions. MD5 and SHA1 are not extremely different in design principle(Ron Rivest). Both produce 32 bit blocks, but MD5 uses 4 rounds and SHA1 uses 5. This process happens BEFORE the truncation occurs, so the chances of collisions are still less with SHA1. I guess you have to think about what's actually truncated here. SHA1-HMAC-96 with a 160 bit key is what I'm assuming you're referring to in comparison to MD5-HMAC-96 with a 128 bit key? You would also have to factor in what kind of attacks you're concerned about as well. Also there are other pieces and variables that ultimately help determine the final "secureness". Bottom line is trying to assign a "security value" based off nothing but truncating would certainly be an over-simplification. Unless you drop to the lower levels like 30, which would at that point begin to actually have a real serious impact regardless of everything else.
Now I'm getting a headache trying to remember this.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Keatron - http://www.anacin.com/ , now don't say I don't give back
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Ok, to answer that question it's no. It will depend on your implementation (and in most cases the vendor). Keep in mind IPSec is a generic term and there are many different vendor specific versions.
Thanks for the meds guys!!