[16010] in cryptography@c2.net mail archive
Re: HMAC?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Aug 26 09:04:31 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 26 Aug 2004 12:41:34 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Amir Herzberg <herzbea@macs.biu.ac.il>
Cc: "Perry E. Metzger" <perry@piermont.com>,
cryptography@metzdowd.com
In-Reply-To: <4122101C.70200@cs.biu.ac.il>
Amir Herzberg wrote:
> Perry E. Metzger wrote:
>
>> So the question now arises, is HMAC using any of the broken hash
>> functions vulnerable?
>
> Considering that HMAC goal is `only` a MAC (shared key authentication),
> the existence of any collision is not very relevant to its use. But
> furthermore, what HMAC needs from the hash function is only that it will
> be hard to find collision when using an unknown, random key; clearly the
> current collisions are far off from this situation.
>
> So, finding specific collisions in the hash function should not cause
> too much worry about its use in HMAC. Of course, if this would lead to
> finding many collisions easily, including to messages with random
> prefixes, this could be more worrying...
Hmmm ... if you could persuade your victim to use a key that was known
to be a suitable prefix for finding collisions...
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
