[3266] in cryptography@c2.net mail archive
Re: Time Based Token?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Aug 30 17:43:01 1998
To: tzeruch@ceddec.com
cc: cryptography@c2.net
Date: Sun, 30 Aug 1998 01:15:11 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
In message <98Aug24.210954edt.43013@brickwall.ceddec.com>, tzeruch@ceddec.com w
rites:
>Now that I am playing with my palm III, something came up that made me
>think of that token which displays a different number every 30 seconds.
>
>Would something that would do a SHA1 of about 1K of random data (as a
>shared secret), and the current time be secure? Or would it have to be
>more elaborate?
I think I would use HMAC (see RFC 2104), rather than just SHA1. Apart
from the fact that SHA1 was not designed to be used as a keyed hash
function and HMAC was (and is provably strong), I am increasingly leary
of applying cryptographic operators to a counter. See, for example,
"From DIfferential Cryptanalysis to Ciphertext-Only Attacks", by Biryukov
and Kushilevitz, in the Proceedings of CRYPTO '98. (The paper does not
appear to be on the Web yet, though it will likely be findable via
http://link.springer.de/link/service/series moderately soon. Among other
results, it shows that counters and other blocks with lots of redundancy
are very useful for differential cryptanalysis.)
