Alex Alten (Andrade@netcom.com)
Tue, 30 Jun 1998 07:56:23 -0700
At 09:25 AM 6/30/98 -0400, Perry E. Metzger wrote:
>
>Alex Alten writes:
>> >I'm actually under the impression that using a truncated hash output
>> >in lieu of the hash produces a more secure result under many
>> >circumstances.
>>
>> No. Hashes do not have perfect random output. If you truncate the output
>> you will introduce vulnerabilities not anticipated by the designer.
>
>I don't mean to be insulting here, really I don't, but quite frankly
>you don't have any idea in hell what you are talking about. Even your
>"explanation" here doesn't have any ring of reasonableness to it. Read
>some of the literature on using hashes in message authentication codes
>first, THEN talk.
>
>As I noted, if you aren't in a situation where birthday attacks are an
>issue, some truncation can reduce vulnerability to attacks to
>determine the key of the MAC.
>
>Before replying, please learn what I'm talking about FIRST.
As part of my work I have cryptanalyzed several proprietary hashes
and I've broken one. I've also had the pleasure of listening to
an expert hash cryptographer discuss hash design and cryptanalyze
some hashes. I don't pretend to be able to design a hash, but I
think I've learned enough to respect why a designer has chosen to
output a certain number of bits and no less. I've kept my
"explanation" terse because I really don't want to get into a long
winded discussion about hash implementation behavior. The best
way to understand whether or not a hash is suited to being
truncated in a particular case is to go and experiment with it,
starting with the compression function.
- Alex
-- Alex Alten Andrade@Netcom.Com P.O. Box 11406 Pleasanton, CA 94588 USA (510) 417-0159
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:15 ADT