Hi,

I believe that this is the right list for my question. I'm trying to get

SHA-2 HMAC support working ipsec in linux kernel (I'm configuring via

pfkey).

First, sha-384 and sha-512 as authentication algorithm always return

function not support. But I noted that my linux kernel has a sha512

kernel module (with alias for sha384). Second, sha-256 uses a 12-byte

hmac (96 bits).

Looking at the source http://lxr.linux.no/source/net/xfrm/xfrm_algo.c,

it seems to confirm that this is true. In fact, sha-384 and sha-512 are

not supported at this time and sha-256 is truncated to 96-bit.

However, the following ietf draft, which I believe is very closed to

ratification (it has already been assigned iana numbers), specifies

sha-256 to use 128-bits as hmac (page 18):

http://www.ietf.org/internet-drafts/draft-kelly-ipsec-ciph-sha2-01.txt

sha-384 is 192 bits, and sha-512 is 256 bits.

1. Is adding sha-384 and sha-512 as simple as adding to the aalg_list

structure? Can this be done for some subsequent kernel release in the

future?

2. Can the sha-256 be changed to use 128 bits? Or in order to not break

backward compatibility, another sha-256 hmac algorithm id be used for

128 bits?

Thanks,

Chinh

Chinh Nguyen wrote:

> Looking at the source http://lxr.linux.no/source/net/xfrm/xfrm_algo.c,

> it seems to confirm that this is true. In fact, sha-384 and sha-512 are

> not supported at this time and sha-256 is truncated to 96-bit.

That's normal.

HMAC usage in IPsec specifies that we only use 96-bits of the result.

This is a tradeoff in space in the packet vs absolute "security"

In addition should you be able to cause a collision in 96-bits by some

method other than brute force, you can not be sure if you guess the key

properly.

> However, the following ietf draft, which I believe is very closed to

> ratification (it has already been assigned iana numbers), specifies

> sha-256 to use 128-bits as hmac (page 18):

> http://www.ietf.org/internet-drafts/draft-kelly-ipsec-ciph-sha2-01.txt

Yes, but that's the key, not the result.

It is keyed with various sizes of bits, but the results are truncated.