[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Interim MAC function

Oh, but I guess in your proposal the key (K) is some function
involving M (sha(m)), so you really can't calculate the inner
collision.

I guess I will retract my object on that note too, then :)

-- Michael


On Thu, 17 Mar 2005 00:38:29 -0800, Michael Silk
<michaelslists at gmail.com> wrote:
> "Hallam-Baker, Phillip" Said:
> > Which implies that
> >
> > H(K XOR opad, H(K XOR ipad, m1)) = H(K XOR opad, H(K XOR ipad, m2))
> >
> > It may be possible to find such a condition but I certainly do not believe
> > that this follows as a direct result of SHA (m1) = SHA (m2)
> 
> Have you read Kaminsky's note about HMAC's resistance to the attack
> (http://eprint.iacr.org/2004/357)?
> 
> Re your previous comment to make those two operations collide all we
> need to do is find a collision for H(K XOR ipad, m2) (where "," is
> append). (Ps, I assume "H" here is "SHA" and not another HMAC algo or
> something).
> 
> If you know the K (which we do under your proposal) we can calculate
> IV = H(K XOR ipad) (padding it to meet block requirements if required)
> and then calculate our collision for "M" (m1 & m2) based on that IV.
> 
> This IS as a direct result from the research and findings (i.e
> collisions from ANY IV).
> 
> -- Michael
> 
> On Wed, 16 Mar 2005 18:17:31 -0800, Hallam-Baker, Phillip
> <pbaker at verisign.com> wrote:
> >
> > > From: cfrg-bounces at ietf.org [mailto:cfrg-bounces at ietf.org] On
> > > Behalf Of Daniel Brown
> >
> > > Because for long messages, the HMAC key is computed as
> > > SHA-1(m), is that
> > > you what you're referring to?  Maybe the original intention
> > > was to modify
> > > HMAC to expand out the key the somehow.  Anyway, I agree with
> > > you that
> > > MASH - with a compacted key - is no more secure that SHA1 as
> > > a HASH, for
> > > the reason above.
> >
> > The precise proposal is to use
> >
> > MASH (m) = HMAC (m, (SHA (m))
> >
> > Where HMAC (m, k) is the HMAC of message m with key k.
> >
> > So the problem is to find
> >
> > HMAC (m1, (SHA (m1)) = HMAC (m2, (SHA (m2))
> >
> > If we find SHA (m1) = SHA (m2) the attacker still has to satisfy:
> >
> > HMAC (m1, k) = HMAC (m2, k)
> >
> > Which implies that
> >
> > H(K XOR opad, H(K XOR ipad, m1)) = H(K XOR opad, H(K XOR ipad, m2))
> >
> > It may be possible to find such a condition but I certainly do not believe
> > that this follows as a direct result of SHA (m1) = SHA (m2)
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg at ietf.org
> > https://www1.ietf.org/mailman/listinfo/cfrg
>

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg