[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 32 bit counter -- 96 bit HMAC-SHA/MD5

To: Derek Atkins <warlord@MIT.EDU>
Subject: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Fri, 14 Feb 1997 16:35:35 -0500
Address: 1 Amherst St., Cambridge, MA 02139
Cc: HUGO@watson.ibm.com, IPSEC@tis.com
In-Reply-To: Derek Atkins's message of 14 Feb 1997 15:35:11 -0500,<sjmk9ob2kjk.fsf@portnoy.mit.edu>
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

   From: Derek Atkins <warlord@MIT.EDU>
   Date: 14 Feb 1997 15:35:11 -0500

   I'd be afraid that truncating to 96 bits would make brute-force
   attacks too easy.  We've already seen 48 bit RC5 keys falling in very
   short amounts of time (hours) using brute-force methods.  Today.
   These MACs need to be secure for YEARS!  I don't think that a 96-bit
   MAC is long-enough to survive brute-force attacks for very long.

Derek,
	I'm not a cryptographer, so take my comments with a grain of
salt, but my understanding is that MAC's, unlike cryptographic
checksums, aren't subject to birthday attacks, since key used to
generate the MAC is secret.  Hence, HMAC truncated to 64 bits has an
attack difficulty of O(2**64), and HMAC truncated to 96 bits has an
attack difficulty of O(2**98), NOT O(2**48).

							- Ted

References:

Re: 32 bit counter -- 96 bit HMAC-SHA/MD5

From: Derek Atkins <warlord@MIT.EDU>

Prev by Date: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
Next by Date: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
Prev by thread: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
Next by thread: Re: 32 bit counter -- 96 bit HMAC-SHA/MD5
Index(es):
- Main
- Thread