Barney Wolff wrote:
On Mon, Mar 21, 2005 at 11:56:44AM +0000, Ben Laurie wrote:
Musing on these points, I wondered about the construction:
H'(x)=H(H(x) || H(H(x) || x))
which doesn't allow an attacker any choice, doesn't change APIs and
doesn't change the length of the hash. Does this have any merit? Note
that this is essentially an HMAC where the key is H(x). I omitted the
padding because it seems to me that this actually makes HMAC weaker
against the current attacks.
I believe the fatal flaw here is not the crypto, but losing the ability
to hash a stream without keeping all of it. Both the hashes and HMAC
have this sometimes-vital property.
This can be fixed quite easily:
H'(x)=H(H(x || H(x)) || H(x))
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
