RE: SHA-2 based HMAC algorithm...

[Dan Brown <dbrown%certicom.com@localhost>]

> -----Original Message-----
> From: ietf-ssh-owner%NetBSD.org@localhost [mailto:ietf-ssh-owner%NetBSD.org@localhost] On
> Behalf Of Dan Brown
> Sent: Monday, April 11, 2011 11:17 AM
> To: 'Niels Möller'
>
> > 512
> > bits for hmac-sha1 (for which use in the ssh protocol is specified to
> > use a 160 bit key), and 1024 bits for hmac-sha2-512, which I find
> > totally out o fproportions. And the effective key size (i.e., the
> size
> > of the internal state an attacker need to recover in order to form
> > valid
> > MACs) is limited to the digest size, or possibly twice the digest
> size,
> > if I understand hmac correctly.
>
> I don't quite understand your argument about the internal state.
>

Oops, now I understand.  Sorry.  Your argument is right.  The pair of values Hash(K+opad) and Hash(K+ipad) is indeed an internal state, and is a bottleneck on the effective key size equal to twice the hash (digest) length.



---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.