[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Cfrg] Interim MAC function

To: "David Wagner" <daw-usenet at taverner.cs.berkeley.edu>, <cfrg at ietf.org>
Subject: RE: [Cfrg] Interim MAC function
From: "Michael Silk" <michaels at phg.com.au>
Date: Thu, 17 Mar 2005 09:29:12 +1100
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Sender: cfrg-bounces at ietf.org
Thread-index: AcUqc58c3y81nw01Tte6jbJgHdVlJQAA0Llg
Thread-topic: [Cfrg] Interim MAC function

isn't the suggestion to prepend m and the output of SHA(m) such that if
your collision is for sha(m) only, it won't collide in hmac(m +
collision) ?

sort of like the proposal:

hash(m) = hashFunc1(m + hashFunc2(m))

I don't see how it could be less secure then HMAC as all it does is
provide more input to it; instead of just M you get SHA(m) too. Are you
able to explain a little bit how it makes it less secure?

-- Michael

> -----Original Message-----
> From: David Wagner [mailto:daw at taverner.cs.berkeley.edu] 
> Sent: Thursday, 17 March 2005 8:59 AM
> To: cfrg at ietf.org
> Subject: Re: [Cfrg] Interim MAC function
> 
> Hallam-Baker, Phillip wrote:
> >What I came up with was the MASH digest, (MAC and SHA) as follows:
> >	MASH (m) = HMAC (m, (SHA (m))
> 
> I think this is likely to be less secure than SHA1-HMAC.  If 
> an attacker can find a collision in SHA1, they can break 
> MASH.  This permits offline collision attacks on MASH, where 
> the attacker prepares a collision before he even knows the 
> key and without interacting with the legitimate parties.
> 
> In contrast, SHA1-HMAC does not permit such offline collision attacks.
> This was an explicit design goal of SHA1-HMAC.
> 
> So I view MASH as a step backwards.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> 
> 
> 

**********************************************************************
This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
**********************************************************************

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- RE: [Cfrg] Interim MAC function
  - From: csjutla

Prev by Date: Re: [Cfrg] Interim MAC function
Next by Date: RE: [Cfrg] Interim MAC function
Previous by thread: Re: [Cfrg] Interim MAC function
Next by thread: RE: [Cfrg] Interim MAC function
Index(es):
- Date
- Thread