RE: [TLS] Truncated HMAC recommendation
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [TLS] Truncated HMAC recommendation
Okay, so I was foolishly assuming that the key size was equal to the
non-truncated MAC length. Even given that the key size might be
larger, it'll be rare in TLS to require more than 16 (MAC, message)
pairs, so I think the broader point (that truncation doesn't
significantly raise the bar for an attacker who can collect messages)
still holds.
William
> -----Original Message-----
> From: Blumenthal, Uri [mailto:uri.blumenthal at intel.com]
> Sent: Monday, November 27, 2006 3:55 PM
> To: tls at ietf.org
> Subject: RE: [TLS] Truncated HMAC recommendation
>
> > But if you truncate it to half-length, two
> > MACs are enough to allow verification of a
> > guess with high probability. I don't think
> > this is a significant gain.
>
> Cryptologic science disagrees with you.
>
> If your MAC size is N bits and your key size is K bits, then you need
> K/N known pairs of messsage <-> MAC in order to verify your
> guess of the
> key (I wonder why you think that just two MACs are enough if you leave
> only half of the MAC bits). Among other sources, see
> <http://www.cosic.esat.kuleuven.be/publications/thesis-16.pdf> (page
> 15).
>
> _______________________________________________
> TLS mailing list
> TLS at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls
>
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
