Regarding HMAC-SHA256 #247
Assignees
Labels
Comments
|
That is not good. Is the suggestion to move to SHA2-512 HMAC? There are not many choices for integrity algorithms and we'll need to test that all our clients still work: https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites#Integrity-Algorithms |
|
Yes, for example SHA2-512. Or AES-GCM with SHA2-512 as the PRF. |
jackivanov
added a commit
that referenced
this issue
Apr 5, 2017
jackivanov
added a commit
that referenced
this issue
Apr 10, 2017
defunctio
pushed a commit
that referenced
this issue
Apr 11, 2017
Closed
faf0
pushed a commit
to faf0/algo
that referenced
this issue
Dec 13, 2018
Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are differing implementations of HMAC-SHA256.
Some with a truncation to 96 bit (that was a draft proposed in 2002 that some vendors implemented and they never bothered to implement HMAC-SHA256 correctly), some with a truncation to 128 bit, which is correct.
Both versions use the same IANA identifier in IKE though.
If a CHILD_SA is negotiated between two peers that use differing implementations, traffic will not be able to be transmitted either way, because the check of the ICV in the ESP packet will fail.
It was observed that this was at least the case with the native VPN client of Android 6. This might also pertain other cases. However, I have not experienced any problem with other IPsec clients yet. So this might be an isolated case.
The text was updated successfully, but these errors were encountered: