Re: [Hash] Charter discussion, round 1

Paul Hoffman <> Tue, 28 June 2005 16:21 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1DnIpp-00087O-PP; Tue, 28 Jun 2005 12:21:17 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1DnIpp-000872-6M for; Tue, 28 Jun 2005 12:21:17 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id MAA28360 for <>; Tue, 28 Jun 2005 12:21:14 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.33) id 1DnJFB-0001Ad-1D for; Tue, 28 Jun 2005 12:47:31 -0400
Received: from [] ( []) (authenticated bits=0) by (8.12.11/8.12.9) with ESMTP id j5SGL2J1040667; Tue, 28 Jun 2005 09:21:03 -0700 (PDT) (envelope-from
Mime-Version: 1.0
Message-Id: <p06230979bee7272458a8@[]>
In-Reply-To: <>
References: <> <p06210245bece4ebbbea1@[]> <> <p0621023abed742623640@[]> <> <> <> <p06230977bee71c108c83@[]> <>
Date: Tue, 28 Jun 2005 09:20:37 -0700
To: Ben Laurie <>
From: Paul Hoffman <>
Subject: Re: [Hash] Charter discussion, round 1
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
X-Mailman-Version: 2.1.5
Precedence: list
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

At 4:54 PM +0100 6/28/05, Ben Laurie wrote:
>I've managed to avoid IKE (so far)

Probably wise, or at least sanity-saving.

>  but PGP doesn't have parameters for crypto functions.

Ah. I now see that. There are parameters, but they're baked into the 
packet format.

>>>, and secondly, why constrain it in this way? A protocol could 
>>>easily transfer the random value somewhere other than in the 
>>>algorithm identification.
>>You may be right, but I'm not convinced about "easily".
>I'm pretty sure its easy. What isn't so easy is changing all the 
>applications to understand the modified protocol.

Of course.

>>Do you have different wording that would help, for example, TLS use 
>>these kinds of functions if we define them?
>'Including a random value in the hash function computation.  The 
>random block used is transferred at appropriate points in the 
>protocol (ideally once for each use of the hash function).  This 
>approach is sometimes called a "salted" or "randomized" hash 

I prefer "value" to "block" in the second sentence, but the rest 
seems fine to me.

Do others have an opinion on this wording?

>And now I'm thinking harder about this, we also should say that care 
>needs to be taken that the right party chooses the random value (or 
>it may be that both (all?) parties should choose it in some cases) - 
>since allowing the attacker to choose it would be bad.

The whole purpose here is to allow the signing party to add 
randomness to the message they are signing. If the attacker is 
signing, don't they already have all the control they need for the 
collision attacks?

--Paul Hoffman, Director
--VPN Consortium

Hash mailing list