Rusty Russell [ARCHIVE] on Nostr: 📅 Original date posted:2016-07-01 📝 Original message:Ethan Heilman <eth3rs at ...
📅 Original date posted:2016-07-01
📝 Original message:Ethan Heilman <eth3rs at gmail.com> writes:
>>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
>
> If I have a tag y = SHA256(key|cipher-type|mesg), I can without
> knowing key or msg compute a value y' such that
> y' = SHA256(key|cipher-type|mesg|any values I want).
Not quite, there's an important subtlety that SHA256 appends the
bitlength, so you can only create:
y' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want).
But we're not using this for a MAC in BIP151, we're using this to
generate the encryption keys.
Arthur Chen <arthur.chen at btcc.com> said:
> HMAC has proven security property.
> It is still secure even when underlying crypto hashing function has
> collision resistant weakness.
> For example, MD5 is considered completely insecure now, but HMAC-MD5 is
> still considered secure.
> When in doubt, we should always use HMAC for MAC(Message Authentication
> Code) rather than custom construction
Bitcoin already relies on SHA256's robustness, but again, we don't need
a MAC here.
I'm happy to buy "we just copied ssh" if that's the answer, and I can't
see anything wrong with using HMAC here, it just seems odd...
Thanks!
Rusty.
📝 Original message:Ethan Heilman <eth3rs at gmail.com> writes:
>>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
>
> If I have a tag y = SHA256(key|cipher-type|mesg), I can without
> knowing key or msg compute a value y' such that
> y' = SHA256(key|cipher-type|mesg|any values I want).
Not quite, there's an important subtlety that SHA256 appends the
bitlength, so you can only create:
y' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want).
But we're not using this for a MAC in BIP151, we're using this to
generate the encryption keys.
Arthur Chen <arthur.chen at btcc.com> said:
> HMAC has proven security property.
> It is still secure even when underlying crypto hashing function has
> collision resistant weakness.
> For example, MD5 is considered completely insecure now, but HMAC-MD5 is
> still considered secure.
> When in doubt, we should always use HMAC for MAC(Message Authentication
> Code) rather than custom construction
Bitcoin already relies on SHA256's robustness, but again, we don't need
a MAC here.
I'm happy to buy "we just copied ssh" if that's the answer, and I can't
see anything wrong with using HMAC here, it just seems odd...
Thanks!
Rusty.