[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: truncation
I repeat briefly the main points of my post of February 16th:
- MD5 is probably not a strong cryptographic primitive.
- The most dangerous attacks on HMAC constructions based on MD5
seem to be the _key recovery_ attacks.
These attacks become more difficult if truncation is applied.
(just as DES in 16-bit CFB is harder to break than DES).
Forgery attacks seem to be less realistic, and also not as
dangerous as key recovery attacks.
Bart Preneel
-------------------------------------------------------------------------------
On Mon, 10 Mar 1997, Hilarie Orman wrote:
> MD5 is already borderline, and the removal of that much of the output
> seems way too risky, an invitation to doom. If you only have to match
> 96 bits, the possibility of taking one message+HMAC and turning it
> into a legal message'+HMAC, even without knowing the key, seems not
> impossible, given that only 96 bits have to match. In fact, it seems
> to me that you might be able to use such a technique to test for
> individual key bits, using the receiver as a verifier.
>
> Hilarie
>
Follow-Ups:
References: