Potential IDPrism problem

Paul Crowley paul at ciphergoth.org
Thu Jun 30 13:04:02 PDT 2005

Taral wrote:
> So we drop the HMAC security to 160 bits instead of 512? Doesn't seem
> reasonable -- we could extract more than that from the DH parameters.

Eh?  We hash the DH shared secret before we use it.  Otherwise the proof 
of security in the random oracle model doesn't work.  And HMAC-SHA1 
doesn't offer more than 160 bits of security anyway - I don't remember 
the exact details, but it probably offers half that.
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/

More information about the yadis mailing list