5

Reading the question “HMAC-SHA1 vs HMAC-SHA256”, I figured out that the known attacks on SHA1 don't apply to its HMAC version. So, HMAC-SHA1 is quite strong right now.

In a protocol like SSL, if it gets broken tomorrow, we can “simply” turn off all the cipher-suites that use HMAC-SHA1. But what if it is used as MAC protection for encrypted data storage? Let's say that I decide to use HMAC-SHA1 instead of HMAC-SHA256 and the former gets broken. It would be a problem because the old stored data will continue to have a broken MAC protection.

Would using HMAC-SHA256 help in that case?

To be more precise: Is HMAC-SHA256 likely to be much more difficult to break compared to HMAC-SHA1 and are both HMAC-SHA1 and HMAC-SHA256 likely to be broken in the near future?

Community
  • 1
user3593483
  • 99
  • 1
  • 3

1 Answers1

3

In a protocol like SSL, if it gets broken tomorrow, we can “simply” turn off all the cipher-suites that use HMAC-SHA1. But what if it is used as MAC protection for encrypted data storage?

This isn't as big a problem as it may seem at first. Even with old data it can still be possible to upgrade the MAC later if you find out about a possible attack, as user4982 mentioned in a comment. Furthermore, the most likely attacks against a MAC would be the ones where the attacker would be able to use an "oracle" to MAC arbitrary messages, which may not exist in practice with data at rest (but is more likely with an interactive protocol).

Would using HMAC-SHA256 help in that case?

To be more precise: Is HMAC-SHA256 likely to be much more difficult to break compared to HMAC-SHA1 and are both HMAC-SHA1 and HMAC-SHA256 likely to be broken in the near future?

I would recommend, as in the linked question, using HMAC-SHA256 for new applications. I don't find it likely that either will be broken any time soon, but breaking HMAC with SHA-256 which is still collision resistant is even less likely than with SHA-1, so there is more of a security margin.

However, when designing a long term data storage system, the main thing to keep in mind is making sure that any algorithms are replaceable if they get too weak. I.e. make it possible to transition from whichever MAC is chosen to a stronger one and similarly for ciphers and such. (In an incremental fashion, if keys are held by third parties.)

Community
  • 1
otus
  • 32,462
  • 5
  • 75
  • 167