eap Mailing List: RE: channel binding

[Charles Clancy (clancy]

On Tue, 30 Aug 2005, Salowey, Joe wrote:

> > Regarding carrying a MAC of a blob instead of a blob itself, I think we 
> > need more analysis.  If a blob is mixture of confidential and 
> > non-confidential parameters, can't the non-confidential parameters and 
> > the MAC becomes a hint to find out the confidential ones?
>
> [Joe] Maybe, I don't think that a MAC necessarily has the properties of 
> a pseudo-random function so some information may leak into the MAC 
> value.  I'm not sure how close to a PRF something like HMAC is.

Originally, I meant that you would send both the channel binding blob, and 
also a keyed MAC of the blob.  Would sending *just* the MAC also work?  I 
guess both sides would have to know the channel parameters in order to 
verify them...

The fact that the MAC is keyed prevents determination of confidential 
parameters.  From a cryptographic standpoint, a random oracle/PRF isn't 
needed here, so HMAC or CBC-MAC should be sufficient.

[ t. charles clancy ]--[ tcc [at] umd.edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]-----[ university of maryland | college park ]