M. Bellare, R. Canetti, H. Krawczyk, "How to key Merkle--Cascaded pseudorandomness and its concrete security," 10 November 1995, http:// www.research. ibm.com/security/.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... The HMAC method produces MACs as MAC(X) H(K;H(K;X) or MAC(X) H(K 1 ; H(K 2 ; X) 17, 3] 1 These constructions are in popular use, since they are simple, easy to implement with existing hash codes, and have some evidence for security under reasonable assumptions on the hash function [2, 3]. All these MAC constructions, however, are susceptible to birthday type attacks against MAC forgery and key recovery described in [21, 22] though the required number of known text MAC pairs is impractically large for most choices of parameters. On the other hand, Bellare et al. 6] proposed a ....

M.Bellare, R.Canetti and H.Krawczyk, How to key Merkle-cascaded pseudorandomness and its concrete security, http://www.research.ibm.com/security/.

....of the Internet Engineering Task Force (IETF) prepends and appends a secret key K to the message input: MAC(x) h(KkpkxkK) Here k denotes concatenation, and p denotes some padding bits. This construction was supported by a security proof under assumptions regarding the pseudo randomness of MD5 [3]. An alternative HMAC [4] involving two invocations of h( Delta) is defined as MAC(x) h(Kkp 1 kh(Kkp 2 kx) where p 1 and p 2 are strings of padding bits which pad K out to a full block; a version without padding was proposed earlier in [12] The security of HMAC can be proven based on the ....

.... working group for authentication of IP datagrams, namely RFC 1828 [17] specifies a variant of this using MD5 and a single key K: MAC(x) h(KkpkxkK) Here p denotes some padding bits chosen such that Kkp fills the first block, and allows for a security proof assuming pseudo randomness of MD5 [3]. RFC 1828 allows a variable length key, and mandates support for bitlengths up to 128 bits. An important consideration motivating use of envelope MACs is that they require minimal implementation and deployment effort: code for the underlying unkeyed hash function can be used without modification. ....

M. Bellare, R. Canetti, H. Krawczyk, "How to key Merkle--Cascaded pseudorandomness and its concrete security", 10 November 1995, http:// www.research. ibm.com/security/.

....In this work we have initiated the first rigorous treatment of the subject and, in particular, present the first constructions whose security can be formally analyzed, without resorting to unrealistic assumptions such as the ideality of the underlying hash functions. In a companion work [BCK] we consider how to design pseudo random functions out of compression functions. We study the natural way of keying Merkle s construction (which underlines the design of iterated hash functions) and show that if the compression function is pseudo random then so is its iteration. The notion of a ....

....and conquer attack shows that one cannot replace in Theorem 4.1 the expression ffl f ffl F by the much stronger ffl f Delta ffl F . It also serves to show that the use of a single bit long key in HMAC does not weaken the function against exhaustive search. Birthday attacks. As shown by [PV1, BCK], birthday attacks, that are the basis to finding collisions in cryptographic hash functions, can be applied to attack also keyed MAC schemes based on iterated functions (including also CBC MAC, and other schemes) These attacks apply to the constructions mentioned above as well as to our new ....

[Article contains additional citation context not shown here]

M. Bellare, R. Canetti and H. Krawczyk, "How to key Merkle: Cascaded pseudorandomness and its concrete security."

No context found.

M. Bellare, R. Canetti, H. Krawczyk, "How to key Merkle--Cascaded pseudorandomness and its concrete security," 10 November 1995, http:// www.research. ibm.com/security/.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC