[cryptography] "folded" SHA1 vs HMAC for entropy extraction

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jan 4 18:45:14 EST 2012

Thor Lancelot Simon <tls at panix.com> writes:

>However, while looking at it I have been wondering why something simpler and
>better analyzed than the "folded" SHA should not be used.

Folding the output is belt-and-suspenders security, it denies an attacker
direct access to the raw output of whatever the last stage of processing
(3DES/AES/SHA1/HMAC-xxx/whatever) is.  For example my generator is designed on
the basis that any part of it should be able to fail completely (replacing a
crypto step with memcpy() or using all-zero keys) without it affecting the
security of the overall design, and to do that you need a lot of redundant
security.  Sure, using HMAC is cryptographically sound, but what happens if
your HMAC key is compromised, or an attacker can glitch the hashing operation,
or something else goes wrong?


More information about the cryptography mailing list