> >>> Also, FWIW, hash algorithms are perfectly usable as encryption
> >>> algorithms.
> >>
> >> Pardon?

> ...
> > The construction is known as "Chaffing and Winnowing", was invented

> > Ron Rivest, is hugely inefficient and was designed to show the
> > foolishness of crypto export laws.

> This is merely a semantic point (meaning of the word encryption). Even

> author of the paper explicitly describes both stenography and chaffing

> winnowing as "not employ[ing] encryption".

Clearly, Ron Rivest's chaffin and winnowing construct is more a gedanken
experiment than a practical tool. However, hash functions can be used to
hide data, using a different construct: generate a bit string by hashing
a shared secret and a random number present in the message, and then XOR
the message text with that bit string. That construct is actually used
in the Radius specification (RFC 2685, section 5.2 "Passords", page 27):

On transmission, the password is hidden. The password is first
padded at the end with nulls to a multiple of 16 octets. A one-
way MD5 hash is calculated over a stream of octets consisting of
the shared secret followed by the Request Authenticator. This
value is XORed with the first 16 octet segment of the password and
placed in the first 16 octets of the String field of the User-
Password Attribute.

The Radius specification used MD5, but that construct can actually be
used with pretty much any hash function.=20

> So at least this generation of dumb crypto laws do not cover MAC

> functions, which is what was, I think, the original question.
> Unfortunately
> pointing out laws are dumb does not allow us to ignore them.

Let's say that these laws do not prevent the use of hash functions for
message authentication purposes, and leave it at that.

-- Christian Huitema

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.