ietf-mailsig
[Top] [All Lists]

RE: at last: draft-levine-mass-batv-00

2004-09-18 14:02:04

From: David Woodhouse
Sent: Saturday, September 18, 2004 12:42 PM

<...>

Others have talked about the possibility of rotating keys so that
they're not in use for long enough to be cracked. I think that's
overkill.

Actually, we rotated the keys in the SES scheme to allow a very short
timestamp field, not to prevent key cracking.  If the keys are changed
periodically, the timestamp only has to cover the period of key change.
This prevents replay of old signatures when the truncated date code comes
around again.

Key cracking for the 512-bit HMAC keys we are using is not practical given
the number of messages signed with the same key an attacker has access to.
With less than the optimal number of messages (2^256), an attacker must use
your validation server as a resource.  The number of HMAC result bits is
then chosen so that given the bandwidth of your validation server and the
signature lifetime, a signature guessing attack cannot succeed with
reasonable probability (which you can also specify appropriate to your level
of paranoia).

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>