[19941] in cryptography@c2.net mail archive
Re: general defensive crypto coding principles
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sun Feb 12 19:22:32 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 12 Feb 2006 17:40:27 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: "Travis H." <solinym@gmail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <d4f1333a0602110336x622deb3dlda2af110c6f939a@mail.gmail.com>
Travis H. wrote:
> On 2/8/06, Jack Lloyd <lloyd@randombit.net> wrote:
>> An obvious example occurs when using a
>> deterministic authentication scheme like HMAC - an attacker can with high
>> probability detect duplicate plaintexts by looking for identical tags.
>
> I think though that the solution is fairly simple; prepend a
> block-length random IV to the message and to the output of HMAC.
>
> In fact, I've wondered if doing this on all hashes might be a good
> defensive programming idea. It seems to defend against attacks of the
> sort which /etc/passwd was subject (dictionary cracking) in much the
> same way that salt did*, and against guessing the plaintext for short
> plaintexts even when the language is unknown.
It also defends against the MD5 crack, and is one of the recommended
IETF solutions to hash problems.
--
http://www.links.org/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
