[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Correction: Re: Serious crypto problem fixed by envelope HMAC method insteadof currently used prefix

To: Omirjan Batyrbaev <batyr@xxxxxxxxxxxx>
Subject: Re: Correction: Re: Serious crypto problem fixed by envelope HMAC method insteadof currently used prefix
From: Steve Friedl <steve@xxxxxxxxxxx>
Date: Mon, 20 Nov 2006 22:02:13 -0800

On Mon, Nov 20, 2006 at 01:45:45PM -0500, Omirjan Batyrbaev wrote:
> This would have been a problem if the HMAC was just SHA-1(...) or MD5 (...)
> or similar type of prefix HMAC. However, the HMAC used in TLS is more
> involved construct (see RFC 2104) and the attack is not applicable.

It is indeed more complicated than that, and though one could certainly
look at a boring RFC, it would sure be easier to look at a colorful
technical illustration that shows how HMAC works.

        An Illustrated Guide to IPSec
        http://www.unixwiz.net/techtips/iguide-ipsec.html#hmac

Steve :-)

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve@xxxxxxxxxxx

References:
- Serious crypto problem fixed by envelope HMAC method insteadof currently used prefix
  - From: Omirjan Batyrbaev
- Correction: Re: Serious crypto problem fixed by envelope HMAC method insteadof currently used prefix
  - From: Omirjan Batyrbaev

Prev by Date: Which is more secure? Oracle vs. Microsoft
Next by Date: LS-20061113 - CA BrightStor ARCserve Backup Remote Buffer Overflow Vulnerability
Previous by thread: Correction: Re: Serious crypto problem fixed by envelope HMAC method insteadof currently used prefix
Next by thread: eClassifieds [injection sql]
Index(es):
- Date
- Thread