SHA-based encryption function in Python
Paul Crowley
paul at JUNKCATCHER.ciphergoth.org
Thu Apr 25 03:42:30 EDT 2002
Paul Rubin <phr-n2002a at nightsong.com> writes:
> Currently I'm using
>
> K1 = H('auth1' + K)
> K2 = H('auth2' + K)
> MAC = H(K1 + H(K2 + ciphertext))
This looks good. You can optimise this a little by padding K1 and K2
out to 64 bytes. That means you can store them as internal SHA
states.
> Note that there's a trivial O(2**64) attack on my authentication since
> I'm truncating the MAC to 8 bytes. So if a security difference
> between HMAC and what I'm doing needs more than O(2**64) work to
> exploit, it's not really useful to an attacker.
Not so - it is far easier for the attacker to do 2^64 offline work
than it is to present 2^64 forged messages to the remote end.
--
__ Paul Crowley
\/ o\ sig at paul.ciphergoth.org http://www.ciphergoth.org/
/\__/ BiCon 2002, discount before 10th May: http://www.2002.bicon.org.uk/
More information about the Python-list
mailing list