Re: SHA-2 based HMAC algorithm...

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

nisse%lysator.liu.se@localhost (Niels =?iso-8859-1?Q?M=F6ller?=) writes:

>My gut-feeling is that the suggested keysize (64 bytes, 512 bits) for hmac-
>sha2-512 is ridiculously large for a symmetric cryptographic construction. 20
>bytes (160 bits) seem sufficient, and 32 bytes (256 bits) is overkill for the
>foreseeable future.

The convention, both for pre-SHA2 hashes, and in other protocols where SHA2
hashes are used, is to use the block size as the key size.  I agree that it's
overkill, but in pretty much every case where it's used, it's the output of a
PRF, and so key size doesn't really matter.

>Ah, and one other thing: Would it make sense to use hmac-sha2-224-96
>(different initial state) rather than hmac-sha2-256-96? I confess I never
>really understood the rationale behind sha2-224 and sha2-384.

To quote someone on another list (possibly SAAG), SHA2-224 and -384 were
created by NIST to confuse the crypto-clueless.  They're barely supported and
have no real reason for existence, please don't use them.

Peter.