Potential IDPrism problem
Paul Crowley
paul at ciphergoth.org
Thu Jun 30 13:04:02 PDT 2005
Taral wrote:
> So we drop the HMAC security to 160 bits instead of 512? Doesn't seem
> reasonable -- we could extract more than that from the DH parameters.
Eh? We hash the DH shared secret before we use it. Otherwise the proof
of security in the random oracle model doesn't work. And HMAC-SHA1
doesn't offer more than 160 bits of security anyway - I don't remember
the exact details, but it probably offers half that.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list