[Cryptography] Why is a short HMAC key zero-padded instead of hashed?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Feb 5 06:41:12 EST 2017
Jerry Leichter <leichter at lrw.com> writes:
>That may well be, but we're talking not about the actual usage of the
>algorithm but about two *standards*, one from the IETF, one from NIST,
>recommending a procedure ... for no known reason. Does anyone know where the
>"hash it if too long" mechanism came from, as it's not in the base research
>paper? *Someone* must have proposed it.
It came from the people who gave us IKE.
>This is *probably* not a big deal: No one does it,
Except IKE. I'm not sure if IKEv2 still does it, but in any case pretty much
everyone else just said "block size = key size".
>But what does it say about our standards processes that unnecessary
>complexity, solving no real problem, and *perhaps* introducing one, somehow
>gets slipped in to them?
Standards are designed by the original authors, and then there's a lot of
horsetrading to get them adopted. Sometimes you have to do weird stuff to get
them through, vendor X wants feature Y in order to endorse it so it goes into
the standard. Or, sometimes, vendor A invents new feature B, badly, so the
standard gets changed to include a fixed-up version of B before other people
copy the broken one.
Peter.
More information about the cryptography
mailing list