Timeline for Does pepper *require* an HMAC?
Current License: CC BY-SA 4.0
8 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 15, 2020 at 5:01 | vote | accept | ManRow | ||
| Apr 14, 2020 at 20:39 | comment | added | Maarten Bodewes♦ | @fgrieu Sure, I put in a stronger hash requirement. You're theoretically correct of course, but the hash needs to be really weak for short, static, random content to become a problem in this scenario. | |
| Apr 14, 2020 at 20:29 | history | edited | Maarten Bodewes♦ | CC BY-SA 4.0 | added 85 characters in body |
| Apr 14, 2020 at 20:21 | comment | added | kelalaka | @fgrieu once can use SHA256/224 or SHA512/256 etc. to mitigate from length extension attacks. | |
| Apr 14, 2020 at 19:34 | comment | added | fgrieu♦ | I agree with the conclusion, but not with "statically sized" as the sole argument (I get it as: length extension does not apply). It is necessary to invoke that SHA-2 is a good enough hash that $X\mapsto H(S\mathbin\parallel X)$ is a good PRF keyed by $S$ for constant-size $X$. It would be possible to define a weak $H$ such that observing $X\mapsto H(S\mathbin\parallel X)$ leaks $S$, when that would not apply to $\text{HMAC-H}(S,X)$. That is, not using HMAC puts unduly pressure on the hash, and that pressure is not part of its explicit design criteria. HMAC is advisable for unspecified $H$. | |
| Apr 14, 2020 at 18:49 | history | edited | Maarten Bodewes♦ | CC BY-SA 4.0 | added 33 characters in body |
| S Apr 14, 2020 at 18:18 | history | answered | Maarten Bodewes♦ | CC BY-SA 4.0 | |
| S Apr 14, 2020 at 18:18 | history | made wiki | Post Made Community Wiki by Maarten Bodewes♦ |