Jump to content
Not connected, Your IP: 3.144.103.20
Sign in to follow this  
TCalhau

About updating the Hash Message Authentication Code

Recommended Posts

Hello technical team!

I would like to know if there is any prediction of migration to HMAC SHA256 in order to increase the overall security. I would like to see it implemented even as optional for the paranoid on duty.

Share this post


Link to post

Hello!

 

We don't see how it would increase security. HMAC is secure, it does not really matter if the lower layer hash is SHA1 or SHA256. SHA1 attempted hash collisions by an attacker are meaningless, because before trying that the attacker should have found the HMAC keys.

 

HMAC SHA256 is not planned at the moment. We are hesitant with ECC for the problem with NIST parameters based curves. These have been created by NSA (by Jerry Solinas) and there are some doubts that must be taken into consideration about "cooked" constants, although unlikely.

 

So the real paranoid person might stay away from elliptic curves based on NIST recommended constants. Please see also:

https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters

 

Ideally, OpenSSL etc. should not use NIST curves, there's no reason to do that because there are better alternatives.

 

By the way, in a more general vision, it does appear inappropriate to think about even stronger encryption in our service, either for the Data Channel or the Control Channel.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...