Re: [Hash] Charter discussion, round 1

Ben Laurie <> Tue, 28 June 2005 16:34 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1DnJ2F-00037F-OI; Tue, 28 Jun 2005 12:34:07 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1DnJ2F-000375-1N for; Tue, 28 Jun 2005 12:34:07 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id MAA29305 for <>; Tue, 28 Jun 2005 12:34:03 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.33) id 1DnJRb-0001W2-Fb for; Tue, 28 Jun 2005 13:00:20 -0400
Received: from [] (localhost []) by (Postfix) with ESMTP id D920733C1B; Tue, 28 Jun 2005 17:34:09 +0100 (BST)
Message-ID: <>
Date: Tue, 28 Jun 2005 17:34:05 +0100
From: Ben Laurie <>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Paul Hoffman <>
Subject: Re: [Hash] Charter discussion, round 1
References: <> <p06210245bece4ebbbea1@[]> <> <p0621023abed742623640@[]> <> <> <> <p06230977bee71c108c83@[]> <> <p06230979bee7272458a8@[]>
In-Reply-To: <p06230979bee7272458a8@[]>
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7baded97d9887f7a0c7e8a33c2e3ea1b
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.5
Precedence: list
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Paul Hoffman wrote:
> At 4:54 PM +0100 6/28/05, Ben Laurie wrote:
>>> Do you have different wording that would help, for example, TLS use 
>>> these kinds of functions if we define them?
>> 'Including a random value in the hash function computation.  The 
>> random block used is transferred at appropriate points in the protocol 
>> (ideally once for each use of the hash function).  This approach is 
>> sometimes called a "salted" or "randomized" hash function.'
> I prefer "value" to "block" in the second sentence, but the rest seems 
> fine to me.

Fair enough - I took that word from the existing wording.

> Do others have an opinion on this wording?
>> And now I'm thinking harder about this, we also should say that care 
>> needs to be taken that the right party chooses the random value (or it 
>> may be that both (all?) parties should choose it in some cases) - 
>> since allowing the attacker to choose it would be bad.
> The whole purpose here is to allow the signing party to add randomness 
> to the message they are signing.

It is? Isn't the purpose to try to mitigate _all_ the problems caused by 
weak hashes?

> If the attacker is signing, don't they 
> already have all the control they need for the collision attacks?

Not if the relying party chooses the random value.

 >>>ApacheCon Europe<<<         

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Hash mailing list