Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

Peter Gutmann pgut001 at
Wed Sep 16 21:20:45 EDT 2009

David Wagner <daw at> writes:

>(You could replace AES-CMAC with SHA1-HMAC, but why would you want to?)

The answer to that depends on whether you need to support an existing base of
crypto software and hardware.  Even though (in this case) it's a new standard,
it still requires support from the underlying crypto libraries.  If little or
none of those do AES-CMAC yet (I don't think Windows CryptoAPI does, only very
recent versions of OpenSSL do... it's not looking good) then you'd want to
stick with HMAC-SHA1.

(Forestalling the inevitable "but developers can implement AES-CMAC themselves 
from raw AES" that I'm sure someone will follow up with, the target audience 
for this is web application developers, not cryptographers, so you need to 
give them something that works as required out of the box).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list