Ben,
x can equal either test vector released by Wang, and H(x) will be
identical. With H(x) identical, the rest of the HMAC stays identical too.
This does not appear to be correct - in my construction, i.e. without padding, then the fact that x and x' differ means that the first blocks are different, but not the colliding kind of different (since the first blocks will be 20 bytes of H(x) and blocksize-20 bytes of x or x' [or, to be pedantic, the first 20 bytes of the next block will be different]). Even if padding were included, x and x' would still not collide, because the chaining values would not be as needed at the start of the second block.
As a couple people pointed out, it's OK that HMAC is "vulnerable" to
the Wang attack, since in order to execute the attack the key is
required (and like AES, if the key is compromised, all bets are off). But you're not using HMAC as a MAC; you're using it to prop up a broken
hash.
Regarding the "Random" appendage, people don't seem to realize how
important syncronized initial states are to many hashing algorithms. One of the major uses of a hashing algorithm is to act as an
*exchangable* handle to data, in other words, you and I can both hash
our respective datasets and see if they're identical. If we're each
using different initial states, that process fails utterly.
Obviously. But I don't understand your point.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
