[cryptography] "folded" SHA1 vs HMAC for entropy extraction

Thor Lancelot Simon tls at panix.com
Thu Jan 5 16:46:18 EST 2012


On Fri, Jan 06, 2012 at 07:59:30AM +1100, ianG wrote:
> 
> The way I treat this problem is that it is analogous to inventing
> ones own algorithm.  From that perspective, one can ask:

What is?  The "folded" SHA, or the use of HMAC?

You do understand why it's important to obscure what's mixed back in,
I assume.  If not, read the paper I referenced on the Linux RNG;
by insufficently obscuring what went back into the pool, the
implementors made an attack with only 2^64 complexity possible.

With the constraint that you can't just output exactly what you
mix back in, a plain hash function without some further transformation
won't suffice, whether it's MD4 or SHA512.  I am asking whether the
use of HMAC with two different, well known keys, one for each purpose,
is better or worse than using the "folded" output of a single SHA
invocation for one purpose and the unfolded output of that same
invocation for the other.

Thor



More information about the cryptography mailing list