Ben Laurie ben at
Thu Aug 26 07:41:34 EDT 2004

Amir Herzberg wrote:

> Perry E. Metzger wrote:
>> So the question now arises, is HMAC using any of the broken hash
>> functions vulnerable?
> Considering that HMAC goal is `only` a MAC (shared key authentication), 
> the existence of any collision is not very relevant to its use. But 
> furthermore, what HMAC needs from the hash function is only that it will 
> be hard to find collision when using an unknown, random key; clearly the 
> current collisions are far off from this situation.
> So, finding specific collisions in the hash function should not cause 
> too much worry about its use in HMAC. Of course, if this would lead to 
> finding many collisions easily, including to messages with random 
> prefixes, this could be more worrying...

Hmmm ... if you could persuade your victim to use a key that was known 
to be a suitable prefix for finding collisions...




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list