security level / security strength(bits) of HMAC

14 views
Skip to first unread message

fido_newbie

unread,
9:37 AM (9 hours ago) 9:37 AM
to FIDO Dev (fido-dev)
In section 3.3 of the “FIDO Authenticator Allowed Cryptography List”(Dec 21, 2023) document, I found the following description regarding the HMAC security level:

  1. The minimum of the length of the output of the hash used
  2. One-half of the number of bits in the hash state
  3. The number of bits in the HMAC key

I’m not quite sure what item-2 means.
Could someone explain item-2 using HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 as examples?

Thanks.

DUBOUCHER Thomas

unread,
10:14 AM (8 hours ago) 10:14 AM
to fido_newbie, FIDO Dev (fido-dev)

THALES GROUP LIMITED DISTRIBUTION to email recipients


This has to do with birthday attacks against secure hash function.

 

Due to the birthday paradox, it takes 2^(n/2) tries to get a hash collision. Hence the hash strength in bits is always at most half its bit length.

 

Note that it doesn’t take into account whether a birthday attack is practical or not.

 

Best regards,

 

 

 

 

Thomas Duboucher (he/him)

Embedded Security Specialist

Digital Identity and Security

Thales

 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/425ed3c1-6a41-4b98-b0b2-e27ab69ab543n%40fidoalliance.org.


Reply all
Reply to author
Forward
0 new messages