Propping up SHA-1 (or MD5)
Ben Laurie
ben at algroup.co.uk
Tue Mar 22 04:50:26 EST 2005
Dan Kaminsky wrote:
> Ben,
>
> x can equal either test vector released by Wang, and H(x) will be
> identical. With H(x) identical, the rest of the HMAC stays identical too.
This does not appear to be correct - in my construction, i.e. without
padding, then the fact that x and x' differ means that the first blocks
are different, but not the colliding kind of different (since the first
blocks will be 20 bytes of H(x) and blocksize-20 bytes of x or x' [or,
to be pedantic, the first 20 bytes of the next block will be
different]). Even if padding were included, x and x' would still not
collide, because the chaining values would not be as needed at the start
of the second block.
> As a couple people pointed out, it's OK that HMAC is "vulnerable" to
> the Wang attack, since in order to execute the attack the key is
> required (and like AES, if the key is compromised, all bets are off).
> But you're not using HMAC as a MAC; you're using it to prop up a broken
> hash.
>
> Regarding the "Random" appendage, people don't seem to realize how
> important syncronized initial states are to many hashing algorithms.
> One of the major uses of a hashing algorithm is to act as an
> *exchangable* handle to data, in other words, you and I can both hash
> our respective datasets and see if they're identical. If we're each
> using different initial states, that process fails utterly.
Obviously. But I don't understand your point.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list