At 05:11 PM 7/27/2009, Jon Callas wrote:
By the way, do you think it's safe to phase out MD5?
That will break all the PGP 2 users.
Depends - if you're only replacing it with SHA-1, it's probably not
worthwhile..
And if you're breaking things anyway, might as well replace most of the
On Jul 26, 2009, at 10:31 PM, Peter Gutmann wrote:
Jon Callas j...@callas.org writes:
You are of course correct, Peter, but are you saying that we
shouldn't do
anything?
Well, I think it's necessary to consider the tradeoffs, if you don't
know the
other side's capabilities then it's a
Jon Callas j...@callas.org writes:
Okay, password-protected files would get it, too. I won't ask why you're
sending password protected files to an agent.
They're not technically password-protected files but pre-shared key (PSK)
protected files, where the keys have a high level of entropy
Jon Callas j...@callas.org writes:
You are of course correct, Peter, but are you saying that we shouldn't do
anything?
Well, I think it's necessary to consider the tradeoffs, if you don't know the
other side's capabilities then it's a bit risky to assume that they're the
same as yours.
You are
Jon Callas j...@callas.org writes:
On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
PGP Desktop 9 uses as its default an iteration count of four
million (!!) for its password hashing, which looks like a DoS to
anything that does sanity-checking of input.
That's precisely what it is -- a
Where this falls apart completely is when there are asymmetric
capabilities
across sender and receiver.
You are of course correct, Peter, but are you saying that we shouldn't
do anything?
I don't believe that we should roll over and die. We should fight
back, even if the advantage is to
On Jul 17, 2009, at 8:39 PM, Peter Gutmann wrote:
PGP Desktop 9 uses as its default an iteration count of four
million (!!) for its password hashing, which looks like a DoS to
anything that
does sanity-checking of input.
That's precisely what it is -- a denial of service to password
Leandro Meiners lmein...@gmail.com quotes:
For example, by specifying an HMACOutputLength of 1, only one bit of the
signature is verified. This can allow an attacker to forge an XML signature
that will be accepted as valid.
This excessive generality is a serious problem in way too many crypto
XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation
for providing integrity, message authentication, and/or signer
authentication services for data. XMLDsig is commonly used by web
services such as SOAP. The XMLDsig recommendation includes support for
HMAC truncation
)
that incorporates security features such as authentication and privacy
control. Authentication for SNMPv3 is done using keyed-hash message
authentication code (HMAC), a message authentication code calculated
using a cryptographic hash function in combination with a secret key
| SNMPv3 Authentication Bypass Vulnerability
|
|Original release date: June 10, 2008
|Last revised: --
|Source: US-CERT
|
| Systems Affected
|
| * Multiple Implementations of SNMPv3
|
| Overview
|
| A vulnerability in the way implementations of SNMPv3 handle specially
|
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using
Hash Collisions, by Scott Contini and Yiqun Lisa Yin (*)
On Mon, 25 Sep 2006, Anton Stiglic wrote:
Very interesting, I wonder how this integrates with the following paper
http://citeseer.ist.psu.edu/bellare06new.html
http://eprint.iacr.org/2006/319
Cryptology ePrint Archive: Report 2006/319
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Scott Contini and Yiqun Lisa Yin
Abstract. In this paper, we analyze the security of HMAC and NMAC,
both of which are hash-based
Steve Bellovin forwarded me the following links (which he got from
Eric Rescorla). Note the bit at the end about a path to second
preimage attacks:
http://eprint.iacr.org/2006/187
On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1
Jongsung Kim and Alex Biryukov
Travis H. writes:
Ross Anderson once said cryptically,
HMAC has a long story attched to it - the triumph of the
theory community over common sense
He wouldn't expand on that any more... does anyone have an idea of
what he is referring to?
I might speculate, based on what you write here
Hal Finney wrote:
Travis H. writes:
Ross Anderson once said cryptically,
HMAC has a long story attched to it - the triumph of the
theory community over common sense
He wouldn't expand on that any more... does anyone have an idea of
what he is referring to?
I might speculate, based on what
weakness of envelope MAC
as described in RFC 1828 (our Eurocrypt'96 paper). Once a collision is
found, one has both forgeries and key recovery, which is not the case for HMAC.
I must say that I don't understand this claim:
The basic problem is that the nested method truncates the internal
Ross Anderson once said cryptically,
HMAC has a long story attched to it - the triumph of the
theory community over common sense
He wouldn't expand on that any more... does anyone have an idea of
what he is referring to?
--
Curiousity killed the cat, but for a while I was a suspect -- Steven
Travis H. wrote:
Ross Anderson once said cryptically,
HMAC has a long story attched to it - the triumph of the
theory community over common sense
He wouldn't expand on that any more... does anyone have an idea of
what he is referring to?
I suggest that you read the theory, make your
From: [EMAIL PROTECTED]
Sent: Mar 30, 2006 3:38 PM
To: cryptography@metzdowd.com
Subject: Re: [Cfrg] HMAC-MD5
I think that we have the evidence. The security MD5 depends
heavily on a lot of nonlinearities in functions F,G,I and on
carries in arithmetic additions. Nonlinearities in F,G,I
I (Hal Finney) wrote:
A couple of (rather uninformed) thoughts regarding HMAC-MD5: First,
how could collision attacks be extended to preimage attacks? And second,
how would preimage attacks affect HMAC-MD5?
I have to apologize for that message; I was totally confused particularly
: cryptography@metzdowd.com
Předmět: Re: [Cfrg] HMAC-MD5
Datum: 29.3.2006 - 21:14:06
On Wed, Mar 29, 2006 at 10:51:08AM +0200,
[EMAIL PROTECTED] wrote:
In am nearly sure that a preimage attack (MD5) will be found
in the
next two or three years.
Is there already evidence of progress
I agree with Steven´s I'd rather avoid HMAC-MD5, just as a matter
of future-proofing. And more.
In am nearly sure that a preimage attack (MD5) will be found in the
next two or three years.
Vlastimil Klima
http:/cryptography.hyperlink.cz
- PŮVODNÍ ZPRÁVA -
Od: Steven M. Bellovin [EMAIL
On Wed, Mar 29, 2006 at 10:51:08AM +0200, [EMAIL PROTECTED] wrote:
In am nearly sure that a preimage attack (MD5) will be found in the
next two or three years.
Is there already evidence of progress in that direction?
--
Viktor.
A couple of (rather uninformed) thoughts regarding HMAC-MD5: First,
how could collision attacks be extended to preimage attacks? And second,
how would preimage attacks affect HMAC-MD5?
For a preimage attack, consider the simplest case, a single input
block of 64 bytes. Then Hash = IV
Amir Herzberg wrote:
Perry E. Metzger wrote:
So the question now arises, is HMAC using any of the broken hash
functions vulnerable?
Considering that HMAC goal is `only` a MAC (shared key authentication),
the existence of any collision is not very relevant to its use. But
furthermore, what HMAC
From: Ben Laurie [EMAIL PROTECTED]
Sent: Aug 26, 2004 7:41 AM
To: Amir Herzberg [EMAIL PROTECTED]
Cc: Perry E. Metzger [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: HMAC?
Amir Herzberg wrote:
So, finding specific collisions in the hash function should not cause
too much worry about its
More on the question of HMAC. As mentioned before, the potential attack
would be to find a collision on the inner hash, even without knowing the
key. Since the key is exactly one hash block in length, the effect is
identical to finding a hash collision without knowing the IV.
Discussing
28 matches
Mail list logo
