[cryptography] "folded" SHA1 vs HMAC for entropy extraction

Thor Lancelot Simon tls at panix.com
Thu Jan 5 11:56:02 EST 2012


On Thu, Jan 05, 2012 at 12:45:14PM +1300, Peter Gutmann wrote:
> Thor Lancelot Simon <tls at panix.com> writes:
> 
> >However, while looking at it I have been wondering why something simpler and
> >better analyzed than the "folded" SHA should not be used.
> 
> Folding the output is belt-and-suspenders security, it denies an attacker
> direct access to the raw output of whatever the last stage of processing
> (3DES/AES/SHA1/HMAC-xxx/whatever) is.  For example my generator is designed on
> the basis that any part of it should be able to fail completely (replacing a
> crypto step with memcpy() or using all-zero keys) without it affecting the
> security of the overall design, and to do that you need a lot of redundant
> security.  Sure, using HMAC is cryptographically sound, but what happens if
> your HMAC key is compromised, or an attacker can glitch the hashing operation,
> or something else goes wrong?

I'm proposing to use HMAC with two different, non-secret keys: one to
generate the data supplied to the output stage, one to generate the
data mixed back in.  It seems to me this uses the same number of
invocations of the hash function per output byte, and, unless I'm missing
something, the "folding" surely isn't _more_ secure.

Am I missing something?

Thor



More information about the cryptography mailing list