[19932] in cryptography@c2.net mail archive
Re: general defensive crypto coding principles
daemon@ATHENA.MIT.EDU (Travis H.)
Sat Feb 11 11:20:19 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 11 Feb 2006 05:36:25 -0600
From: "Travis H." <solinym@gmail.com>
To: cryptography@metzdowd.com
In-Reply-To: <20060208165356.GD1249@randombit.net>
On 2/8/06, Jack Lloyd <lloyd@randombit.net> wrote:
> An obvious example occurs when using a
> deterministic authentication scheme like HMAC - an attacker can with high
> probability detect duplicate plaintexts by looking for identical tags.
I think though that the solution is fairly simple; prepend a
block-length random IV to the message and to the output of HMAC.
In fact, I've wondered if doing this on all hashes might be a good
defensive programming idea. It seems to defend against attacks of the
sort which /etc/passwd was subject (dictionary cracking) in much the
same way that salt did*, and against guessing the plaintext for short
plaintexts even when the language is unknown.
[*] Salts of course defended against hardware implementations by
perturbing the S-tables instead of altering the input.
--
"Cryptography is nothing more than a mathematical framework for discussing
various paranoid delusions." -- Don Alvarez
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
