SHA-1 cracked
Dan Kaminsky
dan at doxpara.com
Thu Feb 17 14:16:32 EST 2005
>and what about HMAC-SHA1 ? Is it reducing the operation required by
>the same factor or as the structure of HMAC is so different that the
>attack is very unlikely to be practical ?
>
>
Depends if you care about HMAC collisions being computationally
infeasible or not. The attack against MD5 adapts to arbitrary initial
states, and you can basically consider HMAC a complex mechanism for
introducing a password into the initial state. So, as an attacker, I
can indeed create two payloads with the same HMAC-MD5 hash, presuming I
know the password. But, as several people pointed out, this is a little
like saying AES is insecure if the attacker learns the key. The
primitive itself specifies that this must remain secret; behavior when
it doesn't isn't specified.
Presumably, the attack against SHA-1 has similar output to the attack
from MD5 (though we can't be sure -- specifically, the padding was
totally orthogonal to the crypto break for MD5, so it's odd that some
people are saying it's making a difference for SHA-1). So, I don't
expect things to be any different.
--Dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list