[16940] in cryptography@c2.net mail archive
Re: SHA-1 cracked
daemon@ATHENA.MIT.EDU (Dan Kaminsky)
Tue Feb 22 11:38:42 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 17 Feb 2005 11:16:32 -0800
From: Dan Kaminsky <dan@doxpara.com>
To: Alexandre Dulaunoy <adulau@foo.be>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
cryptography@metzdowd.com
In-Reply-To: <Pine.LNX.4.44.0502161506310.23328-100000@gilmore.ael.be>
>and what about HMAC-SHA1 ? Is it reducing the operation required by
>the same factor or as the structure of HMAC is so different that the
>attack is very unlikely to be practical ?
>
>
Depends if you care about HMAC collisions being computationally
infeasible or not. The attack against MD5 adapts to arbitrary initial
states, and you can basically consider HMAC a complex mechanism for
introducing a password into the initial state. So, as an attacker, I
can indeed create two payloads with the same HMAC-MD5 hash, presuming I
know the password. But, as several people pointed out, this is a little
like saying AES is insecure if the attacker learns the key. The
primitive itself specifies that this must remain secret; behavior when
it doesn't isn't specified.
Presumably, the attack against SHA-1 has similar output to the attack
from MD5 (though we can't be sure -- specifically, the padding was
totally orthogonal to the crypto break for MD5, so it's odd that some
people are saying it's making a difference for SHA-1). So, I don't
expect things to be any different.
--Dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
