On Thu, Jan 05, 2012 at 12:45:14PM +1300, Peter Gutmann wrote: > Thor Lancelot Simon <[email protected]> writes: > > >However, while looking at it I have been wondering why something simpler and > >better analyzed than the "folded" SHA should not be used. > > Folding the output is belt-and-suspenders security, it denies an attacker > direct access to the raw output of whatever the last stage of processing > (3DES/AES/SHA1/HMAC-xxx/whatever) is. For example my generator is designed on > the basis that any part of it should be able to fail completely (replacing a > crypto step with memcpy() or using all-zero keys) without it affecting the > security of the overall design, and to do that you need a lot of redundant > security. Sure, using HMAC is cryptographically sound, but what happens if > your HMAC key is compromised, or an attacker can glitch the hashing operation, > or something else goes wrong?
I'm proposing to use HMAC with two different, non-secret keys: one to generate the data supplied to the output stage, one to generate the data mixed back in. It seems to me this uses the same number of invocations of the hash function per output byte, and, unless I'm missing something, the "folding" surely isn't _more_ secure. Am I missing something? Thor _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
