[11906] in cryptography@c2.net mail archive
Re: Why is RMAC resistant to birthday attacks?
daemon@ATHENA.MIT.EDU (Greg Rose)
Tue Oct 22 19:30:28 2002
Date: Wed, 23 Oct 2002 09:01:39 +1000
To: Wei Dai <weidai@weidai.com>
From: Greg Rose <ggr@qualcomm.com>
Cc: bear <bear@sonic.net>, Ed Gerck <egerck@nma.com>,
Victor.Duchovni@morganstanley.com,
Cryptography <cryptography@wasabisystems.com>
In-Reply-To: <20021022190542.GA31267@weidai.com>
At 03:05 PM 10/22/2002 -0400, Wei Dai wrote:
>Call the Jan 21 document x, and the Sept 30 document y. Now Bob knows
>MAC_Alice(x | z) = MAC_Alice(y | z) for all z, because the internal states
>of the MAC after processing x and y are the same and therefore will remain
>equal given identical suffixes. So he can get a MAC on x | z and
>it's also a valid MAC for y | z, which Alice didn't sign. This applies
>for CBC-MAC, DMAC, HMAC, and any another MAC that is not randomized or
>maintains state (for example a counter) from message to message.
A nit... this isn't *quite* true for HMAC; the collision could have been in
the outer hash function evaluation, not the inner. I haven't yet looked at
RMAC and don't know what DMAC is, so I can't comment on them.
Still, the attack gives a 50% chance of forging an HMAC, so it's a valid
attack.
Greg.
Greg Rose INTERNET: ggr@qualcomm.com
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
