Re: truncated hashes

Perry E. Metzger (perry@piermont.com)
Mon, 29 Jun 1998 23:26:59 -0400

• Next message: Perry E. Metzger: "Re: truncated hashes"
• Previous message: Paulo Barreto: "Re: SHA and SHA-1 algorithms"
• In reply to: Greg Rose: "Re: SHA and SHA-1 algorithms"
• Next in thread: Adam Shostack: "Re: truncated hashes"

Greg Rose writes:
> bram writes:
> >On 29 Jun 1998, Perry E. Metzger wrote:
> >
> >>
> >> Re: when to truncate hashes, and when not to.
> >>
> >> If you are using a hash as a MAC, as in HMAC, truncation makes
> >> inversion of the MAC harder, so a (small) amount of truncation is
> >> actually a good thing.
> >
> >It can also leave you more vulnerable to attacks where an enemy
> >substitutes phony messages for real ones - it's easier to find
> substitutes
> >which slip by the MAC.
>
> Both of these postings can leave one with the impression that MACs and
> hashes are the same thing... which they are not.

I was careful to note "If you are using a hash as a MAC", refering
implicitly to a construction like HMAC. The point of truncation in
HMAC is that it reduces the amount of information available to the
advesary attempting to guess the key. It is not, of course, entirely
without danger -- using it is a tradeoff between expectation of
different kinds of atack.

Unfortunately, the crypto folks don't really have enough interesting
data on MACs of any sort yet. I think the study of the area is just
really beginning now in earnest.

Perry

• Next message: Perry E. Metzger: "Re: truncated hashes"
• Previous message: Paulo Barreto: "Re: SHA and SHA-1 algorithms"
• In reply to: Greg Rose: "Re: SHA and SHA-1 algorithms"
• Next in thread: Adam Shostack: "Re: truncated hashes"