Re: [PATCH net-next v2 0/5] Reimplement TCP-AO using crypto library

Next message: Simon Horman: "Re: [PATCH] net: Unify user-visible &quot;Qualcomm&quot; name"
Previous message: Conor Dooley: "[PATCH v2 1/3] spi: microchip-core-qspi: control built-in cs manually"
In reply to: Eric Biggers: "Re: [PATCH net-next v2 0/5] Reimplement TCP-AO using crypto library"
Next in thread: Eric Biggers: "Re: [PATCH net-next v2 0/5] Reimplement TCP-AO using crypto library"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simo Sorce

Date: Tue Apr 28 2026 - 12:30:05 EST

On Mon, 2026-04-27 at 16:20 -0700, Eric Biggers wrote:
> On Mon, Apr 27, 2026 at 08:01:16PM +0000, Eric Biggers wrote:
> > > - Ronald P. Bonica (the original RFC5925 author), together with Tony
> > > Li do have an active RFC draft to support the additional algorithms
> [...]
> > > [1] https://www.ietf.org/archive/id/draft-bonica-tcpm-tcp-ao-algs-00.html
>
> For what it's worth, that draft makes very little sense. For example,
> it proposes three variants of HMAC-SHA3, instead of just making the
> modern choice of KMAC256. And it proposes both HMAC-SHA384 and
> HMAC-SHA512, despite them being redundant with each other after the
> specified truncation to 128 bits.

Which is bogus in itself without proper security considerations, the
only considerations cited is an RFC from 1997 ... clearly the pinnacle
of cryptography advice ...

If they need a shorter hash they should make themselves a favor and use
SHAKE and then define the desired output length and desired key size.
That draft is just a disaster as written.

Specifically they should use KMAC128 as defined in NIST SP 800-185
(which uses cSHAKE128 underneath).

Simo.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc