[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Interim MAC function

To: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Subject: Re: [Cfrg] Interim MAC function
From: Michael Silk <michaelslists at gmail.com>
Date: Thu, 17 Mar 2005 13:27:51 +1100
Cc: Daniel Brown <DBrown at certicom.com>, cfrg at ietf.org, cfrg-bounces at ietf.org, David Wagner <daw-usenet at taverner.cs.berkeley.edu>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=nkiapu9ZJrLjCFPJ5ksGnfI5ZBHF2PYZu7711ExJ1AIqGkUdZ9pVfZVWum/xINvs7Vef2CabG7F5xIxEItgKkrPDT/VpF4YFzrxnGkKJN7bx+L4UopsuJrb5mNcTCEBHhYC9mYVsNkWYqQ/QSrdjaewqVpK5ixx+Eg0LHk+Kr5M=
In-reply-to: <198A730C2044DE4A96749D13E167AD3703825F@MOU1WNEXMB04.vcorp.ad.vrsn.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <198A730C2044DE4A96749D13E167AD3703825F@MOU1WNEXMB04.vcorp.ad.vrsn.com>
Reply-to: michaelslists_at_gmail.com at ietf.org
Sender: cfrg-bounces at ietf.org

But now all you have is a HMAC with a key that the attacker knows.

You've just broken the purpose of HMAC - secret-keyed hashing.

Have I missed something obvious here? It seems that this clarified
proposal is worse then normal HMAC.

-- Michael


On Wed, 16 Mar 2005 18:17:31 -0800, Hallam-Baker, Phillip
<pbaker at verisign.com> wrote:
> 
> > From: cfrg-bounces at ietf.org [mailto:cfrg-bounces at ietf.org] On
> > Behalf Of Daniel Brown
> 
> > Because for long messages, the HMAC key is computed as
> > SHA-1(m), is that
> > you what you're referring to?  Maybe the original intention
> > was to modify
> > HMAC to expand out the key the somehow.  Anyway, I agree with
> > you that
> > MASH - with a compacted key - is no more secure that SHA1 as
> > a HASH, for
> > the reason above.
> 
> The precise proposal is to use
> 
> MASH (m) = HMAC (m, (SHA (m))
> 
> Where HMAC (m, k) is the HMAC of message m with key k.
> 
> So the problem is to find
> 
> HMAC (m1, (SHA (m1)) = HMAC (m2, (SHA (m2))
> 
> If we find SHA (m1) = SHA (m2) the attacker still has to satisfy:
> 
> HMAC (m1, k) = HMAC (m2, k)
> 
> Which implies that
> 
> H(K XOR opad, H(K XOR ipad, m1)) = H(K XOR opad, H(K XOR ipad, m2))
> 
> It may be possible to find such a condition but I certainly do not believe
> that this follows as a direct result of SHA (m1) = SHA (m2)
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
> 


-- 
Please adjust the reply-to address.

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- RE: [Cfrg] Interim MAC function
  - From: Hallam-Baker, Phillip

Prev by Date: RE: [Cfrg] Interim MAC function
Next by Date: Sorry, that's a digest, not a MAC RE: [Cfrg] Interim MAC function
Previous by thread: RE: [Cfrg] Interim MAC function
Next by thread: Re: [Cfrg] Interim MAC function
Index(es):
- Date
- Thread