RE: SHA-2 based HMAC algorithm...

[Dan Brown <dbrown%certicom.com@localhost>]

> -----Original Message-----
> From: ietf-ssh-owner%NetBSD.org@localhost [mailto:ietf-ssh-owner%NetBSD.org@localhost] On
> Behalf Of Peter Gutmann

> Dan Brown <dbrown%certicom.com@localhost> writes:
>
> >What about FIPS 180-4, which, if I recall, defines SHA-512-256, a
> truncation
> >of SHA-512 with a different IV?
> >
> >Arguably for use in HMAC it could be truncated to 128 bits (or less),
> so one
> >could have:
> >
> >HMAC-SHA2-512-256-128
>
> Argh, no!  The point is to have a single common SHA2 version that
> everyone can

I agree: a single interoperable HMAC-SHA2 variant is sensible, since all SSH implementations should have no problem.

So, my points were merely (a) to give SSH a heads up on NIST activities, and (b) to suggest a future naming solution for any future 180-4 adherents: use three #s, but I admit that I'm not sure how much SSH needs to NIST-comply.

> [1] This rant

In NIST's defense: (1) hashes tend to get used in bizarre ways, hence the need for extra care (new IVs in draft FIPS 180-4), and (2) it is not uncommon that crypto algorithms include steps which do not prevent known attacks (e.g. provably secure algs, OAEP, PSS, etc., some of which may later resist later discovered attacks, but others which may never.)

SSH is surely not a case of (1), so probably no need for draft FIPS 180-4, i.e. HMAC-SHA2-512 can go without the new IV, for the few who'd use SHA-512 (say, for the speed?)

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.