Re: truncated hashes

New Message Reply About this list Date view Thread view Subject view Author view

Perry E. Metzger (perry@piermont.com)
Mon, 29 Jun 1998 23:26:59 -0400


Greg Rose writes:
> bram writes:
> >On 29 Jun 1998, Perry E. Metzger wrote:
> >
> >>
> >> Re: when to truncate hashes, and when not to.
> >>
> >> If you are using a hash as a MAC, as in HMAC, truncation makes
> >> inversion of the MAC harder, so a (small) amount of truncation is
> >> actually a good thing.
> >
> >It can also leave you more vulnerable to attacks where an enemy
> >substitutes phony messages for real ones - it's easier to find
> substitutes
> >which slip by the MAC.
>
> Both of these postings can leave one with the impression that MACs and
> hashes are the same thing... which they are not.

I was careful to note "If you are using a hash as a MAC", refering
implicitly to a construction like HMAC. The point of truncation in
HMAC is that it reduces the amount of information available to the
advesary attempting to guess the key. It is not, of course, entirely
without danger -- using it is a tradeoff between expectation of
different kinds of atack.

Unfortunately, the crypto folks don't really have enough interesting
data on MACs of any sort yet. I think the study of the area is just
really beginning now in earnest.

Perry


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:13 ADT