bram (bram@gawth.com)
Mon, 29 Jun 1998 17:12:56 -0700 (PDT)
On 29 Jun 1998, Perry E. Metzger wrote:
>
> Re: when to truncate hashes, and when not to.
>
> If you are using a hash as a MAC, as in HMAC, truncation makes
> inversion of the MAC harder, so a (small) amount of truncation is
> actually a good thing.
It can also leave you more vulnerable to attacks where an enemy
substitutes phony messages for real ones - it's easier to find substitutes
which slip by the MAC.
If anybody has any references about what might be a reasonable number of
bits to drop for SHA-1 and RIPEMD-160 used as a MAC, I'd like to see them.
Until I see an actual paper recommending a concrete number though, I'll
just stick to zero.
-Bram
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:12 ADT