[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of key derivation thread
Uri Blumenthal wrote:
>David Wagner wrote:
>> That's not correct. It is reasonable to view HMAC as a PRF,
>> but it is not reasonable to view SHA as a secure PRF.......
>
>Because of single-block vs. multiple-block issues?
Two reasons. First, SHA takes one input, while a PRF takes two.
Second, F_k(x) = SHA(k || x) is not a secure PRF, because of
extension attacks.
If you want a PRF, SHA-HMAC is the "right" object, IMHO, not SHA.