HMAC?
John Kelsey
kelsey.j at ix.netcom.com
Thu Aug 26 11:09:14 EDT 2004
>From: Ben Laurie <ben at algroup.co.uk>
>Sent: Aug 26, 2004 7:41 AM
>To: Amir Herzberg <herzbea at macs.biu.ac.il>
>Cc: "Perry E. Metzger" <perry at piermont.com>, cryptography at metzdowd.com
>Subject: Re: HMAC?
>Amir Herzberg wrote:
>> So, finding specific collisions in the hash function should not cause
>> too much worry about its use in HMAC. Of course, if this would lead to
>> finding many collisions easily, including to messages with random
>> prefixes, this could be more worrying...
>Hmmm ... if you could persuade your victim to use a key that was known
>to be a suitable prefix for finding collisions...
The big question is what the probability is of getting a successful
colliding message pair when you have complete control over the
message, but don't know the IV. For repeated queries, you can know
it's always the *same* IV, if that helps, just not what it is. I
don't think we can know that until we've seen the full explanation in
the Wang, et. al. paper, which hasn't been released yet.
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list