Re: SHA-2 based HMAC algorithm...

[nisse%lysator.liu.se@localhost (Niels Möller)]

Dan Brown <dbrown%certicom.com@localhost> writes:

> HMAC accepts any key size, so adding key size to alg name seems odd.

SSH precedent seem to be that if only a single key size is ever going to
be used (either just in the SSH protocol, or ever, anywhere), then don't
include key size in the id. Examples: "3des-cbc", "arcfour",
"hmac-sha1". And if several distinct keysizes are expected to be used, the
key size is included in the id. Examples: "aes128-cbc".

For HMAC, I don't see any need to support, e.g., hmac-sha2-256, with
several different key sizes, so there's no need to include the key size
in the identifier.

> Nevertheless, parties must use the same key size, maybe the protocol,
> ie SSH, using HMAC should fix key size to the largest not requiring an
> extra hash?

To size must be specified. But using the hash block size (which I think
is what you're suggesting) seem unnecessarily large. That would meen 512
bits for hmac-sha1 (for which use in the ssh protocol is specified to
use a 160 bit key), and 1024 bits for hmac-sha2-512, which I find
totally out o fproportions. And the effective key size (i.e., the size
of the internal state an attacker need to recover in order to form valid
MACs) is limited to the digest size, or possibly twice the digest size,
if I understand hmac correctly.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.