[Cryptography] Why is a short HMAC key zero-padded instead of hashed?

[Peter Gutmann]

Jerry Leichter <leichter at lrw.com> writes:

>That may well be, but we're talking not about the actual usage of the
>algorithm but about two *standards*, one from the IETF, one from NIST,
>recommending a procedure ... for no known reason.  Does anyone know where the
>"hash it if too long" mechanism came from, as it's not in the base research
>paper?  *Someone* must have proposed it.

It came from the people who gave us IKE.

>This is *probably* not a big deal:  No one does it, 

Except IKE.  I'm not sure if IKEv2 still does it, but in any case pretty much
everyone else just said "block size = key size".

>But what does it say about our standards processes that unnecessary
>complexity, solving no real problem, and *perhaps* introducing one, somehow
>gets slipped in to them?  

Standards are designed by the original authors, and then there's a lot of
horsetrading to get them adopted.  Sometimes you have to do weird stuff to get
them through, vendor X wants feature Y in order to endorse it so it goes into
the standard.  Or, sometimes, vendor A invents new feature B, badly, so the
standard gets changed to include a fixed-up version of B before other people
copy the broken one.

Peter.