One of the security area directors has placed a DISCUSS on the above draft. The working group needs to talk about the issue raised and determine how to proceed.
The specific issue is that a simple hash over a key prepended to the data to be redacted is not a strong security measure. Although we've mentioned that this isn't much of a concern in our case in the proposed new text, the complaint has reappeared. For example, the simple key-hash solution is susceptible to a few simple recovery attacks. Among other things, the concern is that doing something like this on the standards track might lead future efforts to believe this mechanism is sufficient for arbitrary data protection when it is not. The proposals going forward appear to be: a) Instead of a hash of key + data, replace the algorithm with HMAC, as defined in RFC2104. b) Add even more explanatory text so that the reader has it clear that we are not attempting to completely secure something here, and acknowledge fully that there are weaknesses in our algorithm. (The Wikipedia page for HMAC gives a pretty good description of the comparison and attacks.) c) Attempt to argue that it's good enough as it is, and that's how we want it. Comments, please. -MSK _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
