[Cryptography] A Fun Trick: The Little MAC Attack
Dan Kaminsky
dan at doxpara.com
Sun May 10 21:12:44 EDT 2015
On Saturday, May 9, 2015, David Leon Gil <coruus at gmail.com> wrote:
> On Fri, May 8, 2015 at 7:37 PM, Phillip Hallam-Baker
> <phill at hallambaker.com <javascript:;>> wrote:
> > On Thu, May 7, 2015 at 8:14 PM, Dan Kaminsky <dan at doxpara.com
> <javascript:;>> wrote:
> >> Practical HMAC-MD5 Collisions!
> >>
> >> Not that they should ever matter...
> >>
> >> http://dankaminsky.com/2015/05/07/the-little-mac-attack/
>
> Koblitz's and Menezes's papers about HMAC and NMAC explain this quite
> nicely:
>
> "Another Look at Security Theorems for 1-Key Nested MACs."
> https://eprint.iacr.org/2013/248.pdf
>
> "Another look at HMAC." https://eprint.iacr.org/2012/074.pdf
>
> This is (one of several reasons) that I dislike HMAC, and wish that
> people would use hash functions with indifferentiability proofs
> instead.
I read through the papers -- they get close, but never quite reach "if you
have a collision in the hash function, you have a trivial collision in HMAC
itself". Maybe you can help me find that?
I really tried to find some reasonable way to complain about this property
but it just isn't HMAC's job to provide collision resistance.
>
> > There is actually a mode where they could matter. There exist
> > applications where a MAC is used as the digest for a signature.
>
> What applications, out of curiosity?
Curious myself.
>
> > This enables a mode where the signature can only be verified by someone
> > who knows the secret without the loss of non-repudiation that a straight
> > HMAC entails.
>
> (I've been looking for a cite for this...)
>
> - David
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150510/beaeeb02/attachment.html>
More information about the cryptography
mailing list