On Sat, 24 Jul 2004, Roger Moser wrote:
> James Couzens wrote:
>
> >> What is minimum recommended length of the secret key used to generate
> >> the cryptographic hash so that the secret key cannot be guesses by
> >> cryptographic analysis of email addresses modified by SRS?
>
> > 512 bits for SHA-160, and ideally they would be all truly random too.
>
> SRS uses HMAC-SHA1 where the key is limited to 64 bits. What was the reason
> to use HMAC-SHA1 instead of SHA-1 applied to the concatenation of a secret
> key (without length limit) and the string to hash?
The reason for the existence of HMAC (and hence the use of HMAC/SHA1
instead of SHA1) is that the simple crypto algorithms can under some
circumstances have weaknesses or leak information, especially on very
short data sets. HMAC removes this weakness, given certain assumptions
which hold for both MD5 and SHA1.
I'm afraid I don't have a Schneier green book to hand, but I'm sure either
that or the red book explain this more fully. For example, from RFC2104:
"MD5 has been recently shown to be vulnerable to collision search attacks.
This attack and other currently known weaknesses of MD5 do not compromise
the use of MD5 within HMAC as specified in this document"
The reason for the choice of SHA1 over MD5 is entirely political: Certain
government or high level organisations require the use of SHA1 over MD5
for certain purposes, and I was advised that the choice of SHA1 was likely
to ease the adoption of this protocol in places with a strong political
cryptographic agenda.
S.
--
Shevek
http://www.anarres.org/ Robust Sender Policy Framework (SPF)
http://www.libspf2.org/ SRS for the next generation
http://www.libsrs2.org/