Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
hmac format?
moxie at vivid
May 20, 2000, 1:29 PM
Post #1 of 3 (571 views)
Permalink
I was looking at the the way that ssh calculates an hmac, and I
noticed that the ordering is a little strange - it does hash(key+message).
Shouldn't this rather be hash(message+key)? In the former situation, it
could be possible for an attacker to append something to the end of the
data being sent. The attacker would be able to calculate a valid hmac
without knowing the key. For instance, since md5 does rounds on blocks of
512bits, where the output of the last round is the input for the first
round of the next block; an attacker could just use the existing hmac as
input for a new block to append. If the hash were computed as
hash(message+key), the attacker would have to know the key to do that.
How do people feel about this? Am I missing something here?

- Mike

---------------------------------------------------------------------------
"A totalitarian state thrives on propaganda, and there is no more effective
way to limit thought than to control the language itself. By changing
definitions of words through continual association, any serious discussion
involving the concepts that the words represent becomes hopelessly muddled."
---------------------------------------------------------------------------
Moxie - moxie@thoughtcrime.org / moxie@vivid.net
http://www.thoughtcrime.org
Re: hmac format? [ In reply to ]
djm at mindrot
May 20, 2000, 5:49 PM
Post #2 of 3 (553 views)
Permalink
On Sat, 20 May 2000, Mike Benham wrote:

> I was looking at the the way that ssh calculates an hmac,
> and I noticed that the ordering is a little strange - it does
> hash(key+message). Shouldn't this rather be hash(message+key)?

Which bit of code are you referring to?

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
Re: hmac format? [ In reply to ]
markus.friedl at informatik
May 21, 2000, 10:07 AM
Post #3 of 3 (551 views)
Permalink
On Sat, May 20, 2000 at 05:29:55PM -0400, Mike Benham wrote:
> I was looking at the the way that ssh calculates an hmac, and I
> noticed that the ordering is a little strange - it does hash(key+message).
> Shouldn't this rather be hash(message+key)? In the former situation, it
> could be possible for an attacker to append something to the end of the
> data being sent. The attacker would be able to calculate a valid hmac
> without knowing the key. For instance, since md5 does rounds on blocks of
> 512bits, where the output of the last round is the input for the first
> round of the next block; an attacker could just use the existing hmac as
> input for a new block to append. If the hash were computed as
> hash(message+key), the attacker would have to know the key to do that.
> How do people feel about this? Am I missing something here?

HMAC (rfc2104) works this way: F(k1, F(k2, x)), so the key influences
both the 1st and the last invokation of the compression function.
it's more like hash(key+message+key).

-markus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal