Allan Latham <alatham,AT,flexsys-group,DOT,com>,cipe-l,AT,inka,DOT,de|
Re: Simple steps to improve CIPE security|
Wolfgang Walter <ml-cipe,AT,studentenwerk,DOT,mhn,DOT,de>|
Tue, 30 Sep 2003 17:00:11 +0200|
<E1A2bsSemail@example.com> <firstname.lastname@example.org> <email@example.com>|
Am Dienstag, 30. September 2003 15:21 schrieb Allan Latham:
> Hi all
> MD5 is mature and well researched. Perfect it isn't, but I think we can say
> that the likelyhood is that gross errors which would limit its usefulness
> in our application do not exist in it.
> This is not the case of hash127. Until this has been scrutinized by those
> much cleverer than me I would prefer to leave it alone.
> It will not be possible to use a keyed hash without new key material -
> using the static or dynamic key is not safe. That in turn means
> modifications to the KX mechanism which I would want to avoid at this
> Best regards
Strongly universal hash functions are well researched. They have been
developped already in late 70th by Carter and Wegman. They are hash functions
with certain mathematical properties which can be proofed. Bernsteins proofs
this for his hash127 function.
Their security (for authentication and integrity) then is unconditional. That
says its cryptographic security only depends on the pseudo-random-generator
used, i.e. if you use AES: The MAC is cryptographically broken if and only if
AES is broken. If AES is broken you can still use hash127 but with another
cypher as pseudo-random-generator.
Anstalt des öffentlichen Rechts
Tel: +49 89 38196 276
Fax: +49 89 38196 144