[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: truncation

To: Hilarie Orman <ho@earth.hpc.org>
Subject: Re: truncation
From: Bart Preneel <Bart.Preneel@esat.kuleuven.ac.be>
Date: Mon, 10 Mar 1997 18:41:37 +0100 (MET)
cc: HUGO@watson.ibm.com, rrglenn@erols.com, ipsec@tis.com
In-Reply-To: <199703101510.KAA05281@earth.hpc.org>
Organization: ESAT, K.U.Leuven, Belgium
Sender: owner-ipsec@ex.tis.com


I repeat briefly the main points of my post of February 16th:

 - MD5 is probably not a strong cryptographic primitive. 

 - The most dangerous attacks on HMAC constructions based on MD5
   seem to be the _key recovery_ attacks. 
   These attacks become more difficult if truncation is applied. 
   (just as DES in 16-bit CFB is harder to break than DES). 
   Forgery attacks seem to be less realistic, and also not as
   dangerous as key recovery attacks.

Bart Preneel
-------------------------------------------------------------------------------


On Mon, 10 Mar 1997, Hilarie Orman wrote:

> MD5 is already borderline, and the removal of that much of the output
> seems way too risky, an invitation to doom.  If you only have to match
> 96 bits, the possibility of taking one message+HMAC and turning it
> into a legal message'+HMAC, even without knowing the key, seems not
> impossible, given that only 96 bits have to match.  In fact, it seems
> to me that you might be able to use such a technique to test for
> individual key bits, using the receiver as a verifier.
> 
> Hilarie
>

Follow-Ups:

Re: truncation

From: ho@earth.hpc.org (Hilarie Orman)

References:

Re: truncation

From: ho@earth.hpc.org (Hilarie Orman)

Prev by Date: Re: truncation
Next by Date: Re: truncation
Prev by thread: Re: truncation
Next by thread: Re: truncation
Index(es):
- Main
- Thread