[messaging] How secure is TextSecure?

[Jean-Philippe Aumasson]

"the security of a reduced-length SHA256 has not been investigated,
yet" (p5 of http://eprint.iacr.org/2014/904.pdf)

It was, implicitly, for any attack on "reduced-length" (collision,
[second-]preimage, distinguisher, etc.) implies an attach on SHA-256.

I wouldn't call UKS attacks "serious". As Trevor suggests, a good
reference is Krawczyk's HMQV paper http://eprint.iacr.org/2005/176.pdf
(see the UKS attack on MQV in appendix).

On Sat, Nov 1, 2014 at 5:56 AM, David Leon Gil <coruus at gmail.com> wrote:
> A new paper by Frosch et al. here: http://eprint.iacr.org/2014/904
>
> --
>
> They present an unknown key-share attack on TextSecure; this is rather
> serious, to say the least.
>
> Rather puzzling, however:
>
> 1. They claim that HMAC(key=constant, message=secret) is not provably
> a PRF.  The security reduction of, e.g., [nested_macs] seems
> symmetrical if the hash functions is one-way; am I missing something
> here?
>
> (HMAC is insecure if *both* inputs can be controlled by the attacker;
> this manifestly isn't the case here.)
>
> 2. They also claim that the security of truncated SHA2-256, as used in
> TextSecure tags, is unknown. (This is likely true for non-generic
> attacks: there are good distinguishers on reduced round SHA2-256.)
>
> But the story is very different for non-generic attacks; the
> "how-to-hash" indifferentiability proof works here.
>
> More concerning re tags: TextSecure is only using an 8 byte tag.
> 64-bit authenticity is plainly insufficient. (This really should be
> 128 bits of SHA2-256's output, or, preferably 160-256 bits of
> SHA2-512's.)
>
> --
>
> [nested_macs]: http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/papers/nestedMACs.pdf
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging