HMAC and RIJNDAEL192, was: bugs in bit manipulation routines

Werner Koch wk at gnupg.org
Mon Aug 7 10:15:05 CEST 2006


On Sun,  6 Aug 2006 23:38, bpgcrypt at itaparica.org said:

> No doubt: securing the HMAC key is a wise idea. But I think it should be
> unnecessary to call gcry_control() if one is going to ommit the 
> GCRY_MD_FLAG_SECURE flag anyway when initializing the hash function.

the md_flag_secure puts all internal buffers into secure emeory.  This
is for example required if you are going to hmac private key material.
Storing the hmac key into secure memory is a design issue with no way
to change it except for dropping all secure memeory.

> AES is a block cipher with fixed 128 bit block length and non-fixed
> key length. RIJNDAEL on the other hand is a block cipher with "any"
> block length from 128 to 256. In the literature the identifier 

I recall from the second AES conference that it was presented in the
way it is used in libgcrypt.  Can't find the proceedngs right
now. Anyway ...

> length and 192 bit key. This is confusing and possibly hazardous. I 
> suggest to drop all of the macros except the third one.

... this would be an API change and thus we can't do it.


Shalom-Salam,

   Werner




More information about the Gcrypt-devel mailing list