Re: HMAC

From: Mark Wooding (mdw_at_nsict.org)
Date: 07/24/03

• Next message: Michael Amling: "Re: HMAC"
• Previous message: Bodo Moeller: "Re: SSL Attack"
• In reply to: Phillip Hauser: "Re: HMAC"
• Next in thread: Phillip Hauser: "Re: HMAC"
• Reply: Phillip Hauser: "Re: HMAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 24 Jul 2003 15:31:16 GMT

Phillip Hauser <phauser_nospam@gmx.de> wrote:

> So it doesn't really matter whether I use OMAC or HMAC. OMAC is
> slightly better?

Using OMAC means that you're trusting your block cipher (Rijndael) for
your integrity. That's fine: you're already trusting it for
encryption: if it breaks, you're stuffed anyway.

HMAC with SHA512 will (educated guess) be considerably slower than OMAC
with Rijndael. Both OMAC and HMAC are provably secure provided the
underlying components do their jobs, so it comes down to the primitives:
I trust Rijndael more than I trust SHA512 right now.

> Rijndael in CBC mode using an IV. 256bit key length. 128bit block
> size.

That sounds fine. Pretty much what I'd suggest. Make sure that you
choose your IVs at random.

> So an important point (to state what you have written) is to use
> different keys for each direction (send/receive) and to derive these
> keys from the secret key. Never use the secret key itself to encrypt
> something or calculate a MAC. Is that right?

Yeah.

The basic principle is to use each key for one thing only. If you use
it for deriving other keys, then don't use it for encryption. If you
use it for encryption, don't use it for your MAC.

The separation in two directions is in part to prevent reflection (i.e.,
an adversary sending me one of my own messages).

In this case, where both your MAC and encryption schemes are based on
the same block cipher, it might be disastrous to use the same key for
both: it's eminently possible that an adversary be able to either one to
break the other in some way.

-- [mdw]

---

• Next message: Michael Amling: "Re: HMAC"
• Previous message: Bodo Moeller: "Re: SSL Attack"
• In reply to: Phillip Hauser: "Re: HMAC"
• Next in thread: Phillip Hauser: "Re: HMAC"
• Reply: Phillip Hauser: "Re: HMAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Rijndael .Net Managed Class VS Rijndael Win32 C++ (MFC) Class ... I'm having an hard time with Rijndael encryption. ... A client on a remote computer is running on Win9x or NT a Win32 C++ ... server and many web services, ... (sci.crypt) Rijndael .Net Managed Class VS Rijndael Win32 C++ (MFC) Class ... I'm having an hard time with Rijndael encryption. ... A client on a remote computer is running on Win9x or NT a Win32 C++ ... server and many web services, ... (sci.crypt) Re: Authenticated Encryption Modes ... :>OMAC is the NIST standard for producing a MAC, and it is secure when used ... OMAC doesn't even encrypt, so it is ... OMAC is a MAC. ... encryption mode like CBC, since CBC is an encryption mode... ... (sci.crypt) Re: [PHP] Encryption failing ... of the string, ... And if rijndael is one of the algorithms which requires a fixed-size ... that also would be "bad" to trim it. ... I'd suggest that the encryption function has no business ... (php.general) Re: HMAC ... > What MAC alogrithm do you recommend? ... OMAC wasn't designed by NIST, ... Please define what you mean by `Rijndael-256 encryption'. ... (sci.crypt)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)