Potential IDPrism problem
paul at ciphergoth.org
Thu Jun 30 13:04:02 PDT 2005
> So we drop the HMAC security to 160 bits instead of 512? Doesn't seem
> reasonable -- we could extract more than that from the DH parameters.
Eh? We hash the DH shared secret before we use it. Otherwise the proof
of security in the random oracle model doesn't work. And HMAC-SHA1
doesn't offer more than 160 bits of security anyway - I don't remember
the exact details, but it probably offers half that.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis