http://eprint.iacr.org/2006/319
Cryptology ePrint Archive: Report 2006/319
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Scott Contini and Yiqun Lisa Yin
Abstract. In this paper, we analyze the security of HMAC and NMAC,
both of which are hash-based
Simon Josefsson [EMAIL PROTECTED] writes:
Not using e=3 when generating a key seems like an easy sell.
Almost no-one does this anyway, but I don't think that's much help.
A harder sell might be whether widely deployed implementations such as TLS
should start to reject signatures done with an
Leichter, Jerry [EMAIL PROTECTED] writes:
| I don't think it's a problem, you just take the ASN.1 DigestInfo
| value, since the trailing garbage isn't part of the DigestInfo, you
| ignore it. Specifically, the ASN.1 object is entirely self-contained,
| so you can tell exactly where it ends and
Leichter, Jerry [EMAIL PROTECTED] writes:
Granted, one or more implementations got this wrong. (Has anyone looked
to see if all the incorrect code all descends from a common root, way
back when?)
We have at least three independent widely used implementations that
got things wrong: OpenSSL,
Yet another e=3 attack, although this one is a bit special-case. As Burt
Kaliski points out in his paper on hash function firewalls,
http://www.rsasecurity.com/rsalabs/staff/bios/bkaliski/publications/hash-firewalls/kaliski-hash-firewalls-ct-rsa-2002.pdf,
if you can control the
Leichter, Jerry [EMAIL PROTECTED] writes:
A several year old paper by Kaliski discussed using the ASN.1 OID to store
data in.
Damn, beat me to it :-).
It has slightly different properties, but the lesson in this context is that
implementations must properly check the ASN.1 OID field too.
The
| | I don't think it's a problem, you just take the ASN.1 DigestInfo
| | value, since the trailing garbage isn't part of the DigestInfo, you
| | ignore it. Specifically, the ASN.1 object is entirely
| | self-contained, so you can tell exactly where it ends and what it
| | contains. Anything
| Granted, one or more implementations got this wrong. (Has anyone
| looked to see if all the incorrect code all descends from a common
| root, way back when?)
|
| We have at least three independent widely used implementations that
| got things wrong: OpenSSL, Mozilla NSS, and GnuTLS.
|
|
--
: : 10.2.3 Data decoding
: : The data D shall be BER-decoded to give an ASN.1
: : value of type DigestInfo, which shall be separated
: : into a message digest MD and a message-digest
: : algorithm identifier. The message-digest algorithm
: : identifier shall determine the selected
: :
On 9/9/06, Adam Back [EMAIL PROTECTED] wrote:
IGE if this description summarized by Travis is correct, appears to be
a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
However the FREE-MAC mode (below described as IGE) was broken back in
Mar 2000 or maybe earlier by Gligor, Donescu
Travis H. wrote:
On 9/9/06, Adam Back [EMAIL PROTECTED] wrote:
IGE if this description summarized by Travis is correct, appears to be
a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
However the FREE-MAC mode (below described as IGE) was broken back in
Mar 2000 or maybe earlier
11 matches
Mail list logo