Very interesting, I wonder how this integrates with the
following paper
http://
citeseer.ist.psu.edu/bellare06new.html
which basically says:
Abstract: HMAC was proved in [2] to be a PRF assuming that
(1) the
underlying compression function is a PRF, and (2) the
iterated hash
function is weakly collision-resistant. However, recent
attacks show that
assumption (2) is false for MD5 and SHA-1, removing the
proof-based
support for HMAC in these cases. This paper proves that HMAC
is a PRF
under the sole assumption that the compression function is a
PRF. This
recovers a proof based guarantee since no known attacks
compromise the
pseudorandomness of the compression function, and it also
helps explain
the resistance-to-attack that HMAC has shown even when
implemented with
hash functions whose (weak) collision resistance is
compromised.
--Anton
Perry E. Metzger
Sat, 23 Sep 2006 05:52:04 -0700
http://eprint.iacr.or
g/2006/319
Cryptology ePrint Archive: Report 2006/319
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC
Using Hash
Collisions
Scott Contini and Yiqun Lisa Yin
Abstract. In this paper, we analyze the security of HMAC
and NMAC,
both of which are hash-based message authentication codes.
We present
distinguishing, forgery, and partial key recovery attacks
on HMAC and
NMAC using collisions of MD4, MD5, SHA-0, and reduced
SHA-1. Our
results demonstrate that the strength of a cryptographic
scheme can be
greatly weakened by the insecurity of the underlying hash
function.
[I Heard about this paper from ekr's blog.]
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomo metzdowd.com
|