[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Interim MAC function

To: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Subject: Re: [Cfrg] Interim MAC function
From: Michael Silk <michaelslists at gmail.com>
Date: Thu, 17 Mar 2005 00:38:29 -0800
Cc: cfrg at ietf.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=BrUXQpK6ru/XAbmJBKw1hDvxWZ9O9ntFIQwsCLzUET1fqzJHxoxw6KbLah9e9/mkPJ71/6bsbRO6Yji9gqa69Kq4ZhcuejS+RpHim0gUnsEdsFIvUoIFoLmhvqY2vAbed8s0+FRugcJ1RVNlP5ExAQ894lVcr6s0BBQJmzXvxVM=
In-reply-to: <198A730C2044DE4A96749D13E167AD3703825F@MOU1WNEXMB04.vcorp.ad.vrsn.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <198A730C2044DE4A96749D13E167AD3703825F@MOU1WNEXMB04.vcorp.ad.vrsn.com>
Reply-to: michaelslists at gmail.com
Sender: cfrg-bounces at ietf.org

"Hallam-Baker, Phillip" Said:
> Which implies that
>
> H(K XOR opad, H(K XOR ipad, m1)) = H(K XOR opad, H(K XOR ipad, m2))
> 
> It may be possible to find such a condition but I certainly do not believe
> that this follows as a direct result of SHA (m1) = SHA (m2)

Have you read Kaminsky's note about HMAC's resistance to the attack
(http://eprint.iacr.org/2004/357)?

Re your previous comment to make those two operations collide all we
need to do is find a collision for H(K XOR ipad, m2) (where "," is
append). (Ps, I assume "H" here is "SHA" and not another HMAC algo or
something).

If you know the K (which we do under your proposal) we can calculate
IV = H(K XOR ipad) (padding it to meet block requirements if required)
and then calculate our collision for "M" (m1 & m2) based on that IV.

This IS as a direct result from the research and findings (i.e
collisions from ANY IV).

-- Michael


On Wed, 16 Mar 2005 18:17:31 -0800, Hallam-Baker, Phillip
<pbaker at verisign.com> wrote:
> 
> > From: cfrg-bounces at ietf.org [mailto:cfrg-bounces at ietf.org] On
> > Behalf Of Daniel Brown
> 
> > Because for long messages, the HMAC key is computed as
> > SHA-1(m), is that
> > you what you're referring to?  Maybe the original intention
> > was to modify
> > HMAC to expand out the key the somehow.  Anyway, I agree with
> > you that
> > MASH - with a compacted key - is no more secure that SHA1 as
> > a HASH, for
> > the reason above.
> 
> The precise proposal is to use
> 
> MASH (m) = HMAC (m, (SHA (m))
> 
> Where HMAC (m, k) is the HMAC of message m with key k.
> 
> So the problem is to find
> 
> HMAC (m1, (SHA (m1)) = HMAC (m2, (SHA (m2))
> 
> If we find SHA (m1) = SHA (m2) the attacker still has to satisfy:
> 
> HMAC (m1, k) = HMAC (m2, k)
> 
> Which implies that
> 
> H(K XOR opad, H(K XOR ipad, m1)) = H(K XOR opad, H(K XOR ipad, m2))
> 
> It may be possible to find such a condition but I certainly do not believe
> that this follows as a direct result of SHA (m1) = SHA (m2)
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Interim MAC function
  - From: Michael Silk

References:
- RE: [Cfrg] Interim MAC function
  - From: Hallam-Baker, Phillip

Prev by Date: Re: [Cfrg] Interim MAC function
Next by Date: Re: [Cfrg] Interim MAC function
Previous by thread: Re: [Cfrg] Interim MAC function
Next by thread: Re: [Cfrg] Interim MAC function
Index(es):
- Date
- Thread