Return-Path: 
 <dev-return-2437-apmail-apr-dev-archive=apr.apache.org@apr.apache.org>
Delivered-To: apmail-apr-dev-archive@apr.apache.org
Received: (qmail 98946 invoked by uid 500); 6 Jun 2001 11:48:01 -0000
Mailing-List: contact dev-help@apr.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:dev@apr.apache.org>
List-Help: <mailto:dev-help@apr.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@apr.apache.org>
List-Subscribe: <mailto:dev-subscribe@apr.apache.org>
Delivered-To: mailing list dev@apr.apache.org
Received: (qmail 98851 invoked from network); 6 Jun 2001 11:47:40 -0000
Date: Wed, 6 Jun 2001 13:46:13 +0200
From: Luke Kenneth Casson Leighton <lkcl@samba-tng.org>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Justin Erenkrantz <jerenkrantz@ebuilt.com>,
	Sander Striker <striker@samba-tng.org>, dev@apr.apache.org
Subject: Re: [PATCH] apr-util hmac md5
Message-ID: <20010606134613.G7921@angua.rince.de>
Mail-Followup-To: Ben Laurie <ben@algroup.co.uk>,
	Justin Erenkrantz <jerenkrantz@ebuilt.com>,
	Sander Striker <striker@samba-tng.org>, dev@apr.apache.org
References: <JLEGKKNELMHCJPNMOKHOAEGPDPAA.striker@samba-tng.org>
 <20010605002951.C21860@ebuilt.com> <3B1D2639.CCE57DDC@algroup.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <3B1D2639.CCE57DDC@algroup.co.uk>;
 from ben@algroup.co.uk on Tue, Jun 05, 2001 at 07:34:33PM +0100
X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N

raaay, good for sander.

HMAC_MD5 is used in NTLMv2 security to help guarantee
against replay attacks on different sessions
[NTLMv2 doesn't stop replay attacks on the _same_ session :)]

HMAC_xxx is used to generate one-way hashes from secret
keys and public data, basically.  if you have to one-way
hash, it's pretty much O(N ^^ -128) likely that you will
be able to obtain the secret key.


sander, just a thought: would it be possible for to write
a general HMAC_xx that accepts an xx?

and then HMAC_MD5 being a specialisation of that?

or, is it simply worth saying,well, uh, if you're gonna
do that, forget it: use openssl.

?


On Tue, Jun 05, 2001 at 07:34:33PM +0100, Ben Laurie wrote:
> Justin Erenkrantz wrote:
> > 
> > On Tue, Jun 05, 2001 at 01:54:05AM +0200, Sander Striker wrote:
> > > Hi,
> > >
> > > This patch adds HMAC MD5 to apr-util.
> > 
> > Where would we use this?  Is this algorithm of sufficient usage that it
> > would benefit being in apr-util?  I've never heard of HMAC before - I
> > had to look it up on rfc-editor.org.  Maybe I live in a paper bag.
> 
> Please be assured that you _do_ live in a paper bag. HMACs are good
> things if you care about security. :-)
> 
> Cheers,
> 
> Ben.
> 
> --
> http://www.apache-ssl.org/ben.html
> 
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff