On 08/01/2019 10:38, Lennart Poettering wrote:
Also, you want to use standard primitives, and a HMAC is one that is
designed for purposes like this. For the reasons why a HMAC is
constructed the way it is, read the wikipedia page.
Well it's constructed the way it is (as wikipedia explains) to
stop you being able to add data to a message and have it generate
the same MAC which makes perfect sense when you are using it is
a signature to check that the input hasn't been modified.
That's not what is happening here though - here the hash is just
to disguise the input not to verify that it hasn't changed, so the
property that we are interested in is whether the algorithm can
be reversed to recover plain text not whether an alternate plain
text can be found to give the same cipher text.
So HMAC probably isn't strictly necessary in this case but it's
not going to do any harm either.
Tom Hughes (tom(a)compton.nu)