Hacker News new | past | comments | ask | show | jobs | submit login

If you know the HMAC key, why would you ever need to generate a collision? You can just reevaluate the MAC and replace the old one.



I think the point was that if some dumb protocol were misusing HMAC (and I'm not good enough at thinking about protocols to imagine how it might do so), it could be vulnerable to collisions generated this way.


The point of the parent commenter is that a misuse of HMAC that gives attackers knowledge of the key admits much simpler attacks than this.


Yup.

"This almost certainly doesn’t have any security impact, but I’m happy(ish) to be proved wrong."

There's a few words I'd remove from that sentence, I guess.


SNARK REDACTED


See this kind of snark is usually what gets 'pbsd to come out of the shadows and smack me down. Your turn this time!


I think it's because you're not wrong here. :D




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: