>and what about HMAC-SHA1 ? Is it reducing the operation required by >the same factor or as the structure of HMAC is so different that the >attack is very unlikely to be practical ? > > Depends if you care about HMAC collisions being computationally infeasible or not. The attack against MD5 adapts to arbitrary initial states, and you can basically consider HMAC a complex mechanism for introducing a password into the initial state. So, as an attacker, I can indeed create two payloads with the same HMAC-MD5 hash, presuming I know the password. But, as several people pointed out, this is a little like saying AES is insecure if the attacker learns the key. The primitive itself specifies that this must remain secret; behavior when it doesn't isn't specified.
Presumably, the attack against SHA-1 has similar output to the attack from MD5 (though we can't be sure -- specifically, the padding was totally orthogonal to the crypto break for MD5, so it's odd that some people are saying it's making a difference for SHA-1). So, I don't expect things to be any different. --Dan --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
