Re: Strength of HMAC-SHA1-32

Kristian Gjøsteen wrote:
If you can have a sufficiently long key, a 32-bit HMAC-SHA1-32 will
ensure that the attacker can forge MAC tags with probability at most
2^(-32). If you can live with that forgery probability (few packets,
not so big a problem if a few packets are forged, etc.), then you
can probably live with HMAC-SHA1-32.

One technique that can help in some settings is to use hash chaining:
Each packet contains the HMAC of the packet payload as well as a hash
of all prior packets. In this way, an attacker who modifies one packet
will have a 1/2^32 chance of escaping immediate detection, but even if
the attack is not immediately detected, the attack will likely be
detected on the next packet (when the attacker will not be able to fix
up the MAC on the subsequent packet). In some settings, this may be
tolerable, because there may not be much harm that an attacker can do
by tampering with a single packet. For instance, consider VOIP, where
disrupting a single packet of voice data is probably not going to have
much of an impact on overall call quality.

Now there are several pitfalls and shortcomings here. For one thing,
this approach can only be applied straightforwardly if the underlying
medium provides in-order reliable delivery -- which is usually not the
case, where short MACs are needed. There are some more complex schemes
that attempt to do something about this but I'm not sure how convincing
they are. Also, the application layer has to be designed carefully to
ensure that introducing a single forged packet is not sufficient to
cause devastating harm. Nonetheless, if there is no other alternative,
some approach along these lines may be worth considering, as it may well
be better than nothing.