Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:13 ADT
Perry E. Metzger (perry@piermont.com)
Mon, 29 Jun 1998 23:23:32 -0400
bram writes:
> On 29 Jun 1998, Perry E. Metzger wrote:
> > Re: when to truncate hashes, and when not to.
> >
> > If you are using a hash as a MAC, as in HMAC, truncation makes
> > inversion of the MAC harder, so a (small) amount of truncation is
> > actually a good thing.
>
> It can also leave you more vulnerable to attacks where an enemy
> substitutes phony messages for real ones - it's easier to find substitutes
> which slip by the MAC.
Nope, it isn't. It is harder, assuming that we are attempting an
attack and not brute force. If you are assuming a brute force attack
of, say, 2^96th texts being sent to you is reasonable, then I suppose
you would be correct, but we are making the assumption that isn't
true.
> If anybody has any references about what might be a reasonable number of
> bits to drop for SHA-1 and RIPEMD-160 used as a MAC, I'd like to see them.
> Until I see an actual paper recommending a concrete number though, I'll
> just stick to zero.
Try starting with the references in RFC2104 on the tradeoffs of
truncation.
Perry
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:13 ADT