[Standards-JIG] [Fwd: Re: [Council] meeting agenda, 2006-04-11 - Dialback Key Generation and Validation]

Peter Saint-Andre stpeter at jabber.org
Wed Apr 12 15:50:34 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forwarding to Standards-JIG...

- -------- Original Message --------
Subject: Re: [Council] meeting agenda,	2006-04-11 - Dialback Key
Generation and Validation
Date: Wed, 12 Apr 2006 12:09:49 +0200
From: Matthias Wimmer
To: stpeter at jabber.org
References: <007d01c65d57$2deca820$0a00000a at dell8500>
<443C1B44.6020509 at jabber.org>

Hi Peter!

I cannot write to the list, so I write to you: Why not using HMAC-SHA256
instead of defining an own way of how to incorporate a key into the
hashing. HMAC-* also fixes all the problems Ian mentions below.

Tot kijk
   Matthias

Peter Saint-Andre schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The author told me he will incorporate these changes in version 1.1
>
> Peter
>
> Ian Paterson wrote:
>   
>> 2. Recommend the order of the items being hashed since this is
>> cryptographically important (the examples would need to be changed).
>> IMHO the 'secret' should be first, and the 'streamID' last. i.e.:
>> key = SHA1({ secret, ':', receiving server, ':', originating server,
>> ':', ID })
>>
>> Why?
>> - If secret is first instead of last then it is no longer possible for
>> an attacker to generate an intermediate hash (of the three known items).
>> - If streamID is last then a trivial 'length extension' attack of the
>> second server hostname is not possible (e.g. example.org ->
>> example.organic.net).
>>     

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEPSHKNF1RSzyt3NURAiQDAKDL00AAQKqg7kSKKjT8UMTR0frmowCdGobe
dieKvIMd7WdCsz/EaZ7YzGQ=
=4/KI
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060412/f6361b00/attachment.bin>


More information about the Standards mailing list