I was looking at the the way that ssh calculates an hmac, and I noticed that the ordering is a little strange - it does hash(key+message). Shouldn't this rather be hash(message+key)? In the former situation, it could be possible for an attacker to append something to the end of the data being sent. The attacker would be able to calculate a valid hmac without knowing the key. For instance, since md5 does rounds on blocks of 512bits, where the output of the last round is the input for the first round of the next block; an attacker could just use the existing hmac as input for a new block to append. If the hash were computed as hash(message+key), the attacker would have to know the key to do that. How do people feel about this? Am I missing something here? - Mike --------------------------------------------------------------------------- "A totalitarian state thrives on propaganda, and there is no more effective way to limit thought than to control the language itself. By changing definitions of words through continual association, any serious discussion involving the concepts that the words represent becomes hopelessly muddled." --------------------------------------------------------------------------- Moxie - moxie at thoughtcrime.org / moxie at vivid.net http://www.thoughtcrime.org
On Sat, 20 May 2000, Mike Benham wrote:> I was looking at the the way that ssh calculates an hmac, > and I noticed that the ordering is a little strange - it does > hash(key+message). Shouldn't this rather be hash(message+key)?Which bit of code are you referring to? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
On Sat, May 20, 2000 at 05:29:55PM -0400, Mike Benham wrote:> I was looking at the the way that ssh calculates an hmac, and I > noticed that the ordering is a little strange - it does hash(key+message). > Shouldn't this rather be hash(message+key)? In the former situation, it > could be possible for an attacker to append something to the end of the > data being sent. The attacker would be able to calculate a valid hmac > without knowing the key. For instance, since md5 does rounds on blocks of > 512bits, where the output of the last round is the input for the first > round of the next block; an attacker could just use the existing hmac as > input for a new block to append. If the hash were computed as > hash(message+key), the attacker would have to know the key to do that. > How do people feel about this? Am I missing something here?HMAC (rfc2104) works this way: F(k1, F(k2, x)), so the key influences both the 1st and the last invokation of the compression function. it's more like hash(key+message+key). -markus