Re: MAC / MIC / MD for short messages

Michael Meier wrote:
Avoid MAC'ing small messages. It's inefficient and wastes space. Even
if you did say HMAC-SHA1-32 on 2 byte payloads you are using 200% of
the packet space to store the MAC tag.

I'd use larger packets, or if delivery is guaranteed use a MAC over
several packets. That way you may decode X packets but you will
eventually pick up on the error.

Well, yes the problem is the messages are only very short and only sent
from time to time. So they have to be short and each packet has to be
authenticated by itself. I can't wait for further packets until I know
that the first packet maybe failed authentication...
That's why I was asking if it's ok to use for a 5 Byte packet a MAC of
only e.g. 24 bit instead of 128 bit - or if this is an extremely
security problem.

If it isn't a bandwidth issue why can't you just send the entire MAC?
Keep in mind you should be MAC'ing the payload and a timestamp or
counter. Otherwise people could replay packets.

What cipher you pick depends on your platform. If you're on an 8051
... well give up. They're useless.
The microcontroller will be a 16-bit chip. I hope AES should be working
with it, is it?

Would you favour CMAC to an HMAC-MD5? Could you please tell me why?

For a 16-bit processor you should get away with AES provided it has a
decent path to memory.

You could get away with truncated the MAC tag somewhat since your
messages are so short and infrequent. Smallest I would go with is a
64-bit tag. Depends on how many messages you plan on sending per key.



Relevant Pages

  • [UNIX] Bug in Linux 2.4 and IPTables MAC Match Module
    ... Bug in Linux 2.4 and IPTables MAC Match Module ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: ... perform NAT, mangle packets, and access custom extensions for packet ...
  • Re: Router stops routing after changing MAC Address
    ... I have a Linux router and I need the ability to swap hardware without ... How to change MAC addresses is documented well enough - and it works - ... ip link set eth0 down ... the right side and back with echo request and reply packets. ...
  • Re: Network Utility - Taceroute problem
    ... Can you try traceroute from one Mac to ... between either mac and the router. ... 10 packets transmitted, 10 packets received, 0% packet loss ...
  • Re: Test tools for new network driver
    ... Cheers for the tips on the mac address, I must admit I wasn't aware of the locally assigned bit in the address. ... And thanks for the tips on network test tools, ... however I've come across some problems with the H/W implementation, ... it doesn't work with small packets. ...
  • Re: MAC and gateways
    ... So, to get your packets to carry the original MAC address, you are ... the Client thru the Server and is based on something called Sesame ...