given a hash H() , like sha256
and a secret text S
and a public salt P
will knowing H(S) reveal HMAC(P, S) ?
to clarify: the question is if it possible to learn the digest, not the secret.
In my specific case HMAC(S) is actually HKDF(S), but i'm assuming for this question the safety-related part is just the extract phase.
the protocol is as follows:
Alice->Bob: fetch message2 after message1 which had content H(message1)
Bob->Alice: message2 from Charlie says: chacha(HKDF(message1), plain)
It seems fairly obvious that brute forcing S is still unfeasible:
For each round an attacker would have the ability to test against H(S) or HMAC(S) but this doesn't help because the effort is identical. Testing against both of them just makes it twice as slow.
However, we care about the secrecy of the hash itself, since that's the derived key. Even if we assume it might be possible to "resume" a hash function just from its digest [1]
and then continue it as HMAC, it would only work with H(S+salt), not with H(salt+S), which HKDF is [2]
Now the final thing i simply dont understand is entropy. Does revealing the hash of S reduce its entropy so that the hmac is weaker? As far as i understand, a digest of something actually disperses the entropy so that its indistinguishable from randomness. So you can't just "redo" the same dispersion, if its already gone.
- https://stackoverflow.com/questions/20895009/what-state-needs-to-be-stored-to-allow-resumable-hash-computations
- Why does HKDF use HMAC(salt, key) instead of HMAC(key, salt)?