Re: [DNSOP] RFC 2845bis and HMAC-MD5
Paul Wouters wrote: > > On Mar 14, 2019, at 15:53, Martin Hoffmann wrote: > > > > As such, I would like to propose to move HMAC-MD5 to optional and only > > retain SHA-1 and SHA-256 as mandatory. > It’s too soon. Only a year or so again there was only hmac-md5 I don't understand that comment ... 4635 HMAC SHA (Hashed Message Authentication Code, Secure Hash Algorithm) TSIG Algorithm Identifiers. D. Eastlake 3rd. August 2006. (Format: TXT=16533 bytes) (Updates RFC2845) (Status: PROPOSED STANDARD) (DOI: 10.17487/RFC4635) BIND got support in 9.5.0. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty, Forth, Tyne, Dogger: West 7 to severe gale 9, decreasing 6, then becoming cyclonic later. Moderate or rough, occasionally very rough at first in Forties and Dogger. Showers, rain later. Good, occasionally poor.___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] RFC 2845bis and HMAC-MD5
It’s too soon. Only a year or so again there was only hmac-md5 Sent from mobile device > On Mar 14, 2019, at 15:53, Martin Hoffmann wrote: > > Hi, > > when looking over draft-ietf-dnsop-rfc2845bis I was hoping that it > would relax the mandatory requirement for HMAC-MD5, but no such luck. > > Given that most protocols have either made MD5 optional or banned it > outright, some modern crypto libraries have decided to drop it from > their supported algorithms. It seems to me that forcing new code to > include dependencies for MD5 is unnecessary. > > As such, I would like to propose to move HMAC-MD5 to optional and only > retain SHA-1 and SHA-256 as mandatory. > > Kind regards, > Martin > > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] RFC 2845bis and HMAC-MD5
On Thu, 14 Mar 2019 at 15:09, Tony Finch wrote: > Martin Hoffmann wrote: > > > > As such, I would like to propose to move HMAC-MD5 to optional and only > > retain SHA-1 and SHA-256 as mandatory. > > That seems sensible. There should at the very least be a reference to > RFC6151, Updated Security Considerations for the MD5 Message-Digest and > the HMAC-MD5 Algorithms. Is there any continuing justification for the special treatment of SHA-1 enshrined in the footnote to Table 1. Section 8 make abundantly clear that algorithm selection and applicable truncation is a matter of policy and agreement between client and server. Taken together with the detailed requirements in section 6.5.2.1, and the statement that a reply SHOULD be sent with a MAC at least as long as that in the corresponding request, removes the need for specific numerical length constraints to be stated in this document. IMHO the SHOULD here should become MUST, promoting this to a full requirement. The special cases identified in 6.5.1 and 6.5.2 are obviously not subject to the general policy. Security conscious users will define their policy having regard to performance and size versus strength trade-offs and weaknesses of particular algorithms about which there is no shortage of published material. Requirement Name --- Mandatory HMAC-MD5.SIG-ALG.REG.INT Optionalgss-tsig Mandatory hmac-sha1 Optionalhmac-sha224 Mandatory hmac-sha256 Optionalhmac-sha384 Optionalhmac-sha512 Table 1 SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented. --Dick ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] RFC 2845bis and HMAC-MD5
On Thu, 14 Mar 2019 at 11:08, Tony Finch wrote: > Martin Hoffmann wrote: > > > > As such, I would like to propose to move HMAC-MD5 to optional and only > > retain SHA-1 and SHA-256 as mandatory. > > That seems sensible. There should at the very least be a reference to > RFC6151, Updated Security Considerations for the MD5 Message-Digest and > the HMAC-MD5 Algorithms. > Agreed. I can't remember the last time I generated an HMAC-MD5 key .. and I believe the default behaviour for most (all?) recent major distributions default to something stronger (e.g. BIND now defaults to HMAC-SHA256). Any operators needing to support old key algorithms would be free to use distributions that continue to optionally support them, or generate and distribute new keys (something that should be done periodically anyway). ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] RFC 2845bis and HMAC-MD5
Martin Hoffmann wrote: > > As such, I would like to propose to move HMAC-MD5 to optional and only > retain SHA-1 and SHA-256 as mandatory. That seems sensible. There should at the very least be a reference to RFC6151, Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms. Tony. -- f.anthony.n.finchhttp://dotat.at/ Shetland Isles: Variable 3 or less, becoming west or southwest 4 or 5, occasionally 6 later. Moderate or rough. Showers. Moderate or good. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] RFC 2845bis and HMAC-MD5
Hi, when looking over draft-ietf-dnsop-rfc2845bis I was hoping that it would relax the mandatory requirement for HMAC-MD5, but no such luck. Given that most protocols have either made MD5 optional or banned it outright, some modern crypto libraries have decided to drop it from their supported algorithms. It seems to me that forcing new code to include dependencies for MD5 is unnecessary. As such, I would like to propose to move HMAC-MD5 to optional and only retain SHA-1 and SHA-256 as mandatory. Kind regards, Martin ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop