[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: Time Based Token?
From:       "Steven M. Bellovin" <smb () research ! att ! com>
Date:       1998-08-30 5:15:11
[Download RAW message or body]

In message <98Aug24.210954edt.43013@brickwall.ceddec.com>, tzeruch@ceddec.com w
rites:
>Now that I am playing with my palm III, something came up that made me
>think of that token which displays a different number every 30 seconds.
>
>Would something that would do a SHA1 of about 1K of random data (as a
>shared secret), and the current time be secure?  Or would it have to be
>more elaborate?

I think I would use HMAC (see RFC 2104), rather than just SHA1.  Apart
from the fact that SHA1 was not designed to be used as a keyed hash
function and HMAC was (and is provably strong), I am increasingly leary
of applying cryptographic operators to a counter.  See, for example,
"From DIfferential Cryptanalysis to Ciphertext-Only Attacks", by Biryukov
and Kushilevitz, in the Proceedings of CRYPTO '98.  (The paper does not
appear to be on the Web yet, though it will likely be findable via
http://link.springer.de/link/service/series moderately soon.  Among other
results, it shows that counters and other blocks with lots of redundancy
are very useful for differential cryptanalysis.)

[prev in list] [next in list] [prev in thread] [next in thread]