Re: TEA (was Re: filesystem encryption)

Bill Sommerfeld (sommerfeld@orchard.arlington.ma.us)
Tue, 30 Jun 1998 11:01:53 -0400

• Next message: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• Previous message: Alex Alten: "Re: TEA (was Re: filesystem encryption)"
• In reply to: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• Next in thread: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• Reply: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"

> >I'm actually under the impression that using a truncated hash output
> >in lieu of the hash produces a more secure result under many
> >circumstances.
> >
>
> No. Hashes do not have perfect random output. If you truncate the output
> you will introduce vulnerabilities not anticipated by the designer.

It depends on whether you're using the hash as a hash, or as a
building block in a MAC. In the former case, truncation reduces
security.

In the latter case (which, if I'm not mistaken, is what Perry was
referring to), truncation may *increase* security against key-recovery
attacks, because for any given (<message>,<MAC>) pair, it increases
the number of possible keys which could have generated the given MAC
from the message.

                                        - Bill

• Next message: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• Previous message: Alex Alten: "Re: TEA (was Re: filesystem encryption)"
• In reply to: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• Next in thread: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"
• Reply: Perry E. Metzger: "Re: TEA (was Re: filesystem encryption)"