hmac format?
Markus Friedl
markus.friedl at informatik.uni-erlangen.de
Mon May 22 04:07:41 EST 2000
On Sat, May 20, 2000 at 05:29:55PM -0400, Mike Benham wrote:
> I was looking at the the way that ssh calculates an hmac, and I
> noticed that the ordering is a little strange - it does hash(key+message).
> Shouldn't this rather be hash(message+key)? In the former situation, it
> could be possible for an attacker to append something to the end of the
> data being sent. The attacker would be able to calculate a valid hmac
> without knowing the key. For instance, since md5 does rounds on blocks of
> 512bits, where the output of the last round is the input for the first
> round of the next block; an attacker could just use the existing hmac as
> input for a new block to append. If the hash were computed as
> hash(message+key), the attacker would have to know the key to do that.
> How do people feel about this? Am I missing something here?
HMAC (rfc2104) works this way: F(k1, F(k2, x)), so the key influences
both the 1st and the last invokation of the compression function.
it's more like hash(key+message+key).
-markus
More information about the openssh-unix-dev
mailing list