A new paper by Frosch et al. here: http://eprint.iacr.org/2014/904
-- They present an unknown key-share attack on TextSecure; this is rather serious, to say the least. Rather puzzling, however: 1. They claim that HMAC(key=constant, message=secret) is not provably a PRF. The security reduction of, e.g., [nested_macs] seems symmetrical if the hash functions is one-way; am I missing something here? (HMAC is insecure if *both* inputs can be controlled by the attacker; this manifestly isn't the case here.) 2. They also claim that the security of truncated SHA2-256, as used in TextSecure tags, is unknown. (This is likely true for non-generic attacks: there are good distinguishers on reduced round SHA2-256.) But the story is very different for non-generic attacks; the "how-to-hash" indifferentiability proof works here. More concerning re tags: TextSecure is only using an 8 byte tag. 64-bit authenticity is plainly insufficient. (This really should be 128 bits of SHA2-256's output, or, preferably 160-256 bits of SHA2-512's.) -- [nested_macs]: http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/papers/nestedMACs.pdf _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
