IETF Logo Mail Archive

Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...

Taylor R Campbell <campbell+cfrg@mumble.net> Fri, 10 February 2017 06:55 UTC

Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 140B2129509 for <cfrg@ietfa.amsl.com>; Thu, 9 Feb 2017 22:55:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHRtLizUqSjb for <cfrg@ietfa.amsl.com>; Thu, 9 Feb 2017 22:55:32 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 042431294CE for <cfrg@ietf.org>; Thu, 9 Feb 2017 22:55:31 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id 223AC60AB1; Fri, 10 Feb 2017 06:55:25 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: David Jacobson <dmjacobson@sbcglobal.net>
In-reply-to: <20170210062303.B686060A8C@jupiter.mumble.net> (campbell+cfrg@mumble.net)
Date: Fri, 10 Feb 2017 06:55:30 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <20170210065525.223AC60AB1@jupiter.mumble.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/DZ1rMp3q7RjeKOQrmDDjxrh0B2k>
Cc: cfrg@ietf.org, Randal Atkinson <randal.atkinson.ctr@nrl.navy.mil>
Subject: Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 06:55:33 -0000

> Date: Fri, 10 Feb 2017 06:23:09 +0000
> From: Taylor R Campbell <campbell+cfrg@mumble.net>
> 
> To store a file m, compute k = SHA512(m).  [...]
> 
> Problem:  By revealing SHA256(k) to the server, we have allowed the
> server to forge stored ciphertexts, because HMAC-SHA256(k, c0) =
> HMAC-SHA256(SHA256(k), c0), [...]

Oops -- this particular scenario doesn't work because if |k| <= 512,
the block size of SHA256, then HMAC-SHA256 uses k verbatim with no
prehash.  We would need to have chosen a >512-bit k, which makes this
whole scenario even less likely: typical block sizes are >=512 bits
(e.g., MD5, SHA1, SHA2, SHA3, BLAKE2), and typical output sizes are
<=512 bits.

v2.23.0 | Report a Bug | By Email