HMAC using a static key is a bad idea?|
"Hans Steegers" <hsx,AT,dds,DOT,nl>|
Mon, 29 Sep 2003 14:22:40 +0200|
"Hans Steegers" <steegers,AT,steegers,DOT,nl>|
Encrypting a CRC with a static key seems to me a BAD idea: The original CRC
is computable and since always the same key is used, this key is eventually
retrievable. We need a changing key with limited life-span.
If we XOR (or do another fast operation to create a new key with) this
static HMAC-key with the dynamic key in use, and use the result to encrypt
the CRC, the HMAC-key will have the same protection as the main key. Or does
this give away the dynamic key? My guess is that such an operation must be
irreversible to be safe.
Can anybody spend some ammunition on this?