From: Seth Goodman
Sent: Saturday, September 18, 2004 4:02 PM
<...>
Key cracking for the 512-bit HMAC keys we are using is not practical given
the number of messages signed with the same key an attacker has access to.
With less than the optimal number of messages (2^256), an attacker must
use your validation server as a resource. The number of HMAC result bits
is then chosen so that given the bandwidth of your validation server and
the signature lifetime, a signature guessing attack cannot succeed with
reasonable probability (which you can also specify appropriate to
your level of paranoia).
This was not stated as well, as it confuses two types of attack: key
cracking and HMAC guessing. Key cracking is not what sets the limit for the
number of HMAC result bits. Key cracking is considered infeasible for any
foreseeable computational capability even with the optimal number of sample
messages. The number of HMAC result bits needed is determined by the HMAC
guessing attack, where an attacker tries to guess an HMAC that is correct
for a given return-path that they wish to forge. Since they don't know the
key, having sample signed return-paths is of no use and they must use the
sender's validation server to check their guesses. The validation server
throughput, which is limited by site communications bandwidth, and signature
lifetime are the limiting values along with desired probably of success of
an attack. Though we would like it to be zero, you have to settle for some
low probability of successful attack to avoid needing an infinite number of
bits, just like any signature scheme.
--
Seth Goodman