[Cryptography] A Fun Trick: The Little MAC Attack
David Leon Gil
coruus at gmail.com
Sat May 9 15:18:05 EDT 2015
On Fri, May 8, 2015 at 7:37 PM, Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> On Thu, May 7, 2015 at 8:14 PM, Dan Kaminsky <dan at doxpara.com> wrote:
>> Practical HMAC-MD5 Collisions!
>>
>> Not that they should ever matter...
>>
>> http://dankaminsky.com/2015/05/07/the-little-mac-attack/
Koblitz's and Menezes's papers about HMAC and NMAC explain this quite nicely:
"Another Look at Security Theorems for 1-Key Nested MACs."
https://eprint.iacr.org/2013/248.pdf
"Another look at HMAC." https://eprint.iacr.org/2012/074.pdf
This is (one of several reasons) that I dislike HMAC, and wish that
people would use hash functions with indifferentiability proofs
instead.
> There is actually a mode where they could matter. There exist
> applications where a MAC is used as the digest for a signature.
What applications, out of curiosity?
> This enables a mode where the signature can only be verified by someone
> who knows the secret without the loss of non-repudiation that a straight
> HMAC entails.
(I've been looking for a cite for this...)
- David
More information about the cryptography
mailing list