On Mon, Nov 20, 2006 at 01:45:45PM -0500, Omirjan Batyrbaev wrote: > This would have been a problem if the HMAC was just SHA-1(...) or MD5 (...) > or similar type of prefix HMAC. However, the HMAC used in TLS is more > involved construct (see RFC 2104) and the attack is not applicable. It is indeed more complicated than that, and though one could certainly look at a boring RFC, it would sure be easier to look at a colorful technical illustration that shows how HMAC works. An Illustrated Guide to IPSec http://www.unixwiz.net/techtips/iguide-ipsec.html#hmac Steve :-) --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@xxxxxxxxxxx
