Let's play a game called "variable from real source code or Croatian family name": Hmacblksz
@elwoz @marshray @matthew_d_green @0xabad1dea H(key + message) where H is immune to length extension attacks ?
-
-
@bascule@marshray@matthew_d_green@0xabad1dea ... so, HMAC minus its length extension defense. -
@elwoz@bascule@matthew_d_green@0xabad1dea@sergeybratus More than that, HMAC reapplies the key material just one block before the output. -
@matthew_d_green@marshray@elwoz@bascule@0xabad1dea@sergeybratus Using HMAC with SHA3 is like buying a couch and leaving the plastic on. -
@matthew_d_green@elwoz@bascule@0xabad1dea@sergeybratus You mean Keccak tho. We don't yet know if SHA-3 per se will define that mode. -
@marshray@matthew_d_green@elwoz@0xabad1dea@sergeybratus you mean the "squeeze" step that obsoletes HMAC? Isn't that a SHA3 requirement? -
@bascule@matthew_d_green@elwoz http://csrc.nist.gov/groups/ST/hash/documents/SHA-3_FR_Notice_Nov02_2007%20-%20more%20readable%20version.pdf … saying NIST asked for hash fns, they may not approve bare SHA-3 as a repl for HMAC. -
@marshray@matthew_d_green@elwoz according to the Keccak paper, NIST SP 800-108 is the only standard that relies explicitly on HMAC - 3 more replies
New conversation -
-
-
@bascule@elwoz@matthew_d_green@0xabad1dea http://csrc.nist.gov/groups/ST/hash/sha-3/documents/Keccak-slides-at-NIST.pdf … Essentially that is being proposed on slide 41 (Feb 2013)Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.