Arthur Chen [ARCHIVE] on Nostr: ๐ Original date posted:2016-06-28 ๐ Original message:HMAC has proven security ...
๐
Original date posted:2016-06-28
๐ Original message:HMAC has proven security property.
It is still secure even when underlying crypto hashing function has
collision resistant weakness.
For example, MD5 is considered completely insecure now, but HMAC-MD5 is
still considered secure.
When in doubt, we should always use HMAC for MAC(Message Authentication
Code) rather than custom construction
On Wed, Jun 29, 2016 at 9:00 AM, Rusty Russell via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> Jonas Schnelli <dev at jonasschnelli.ch> writes:
> >> To quote:
> >>
> >>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
> >>>
> >>> K_1 must be the left 32bytes of the HMAC_SHA512 hash.
> >>> K_2 must be the right 32bytes of the HMAC_SHA512 hash.
> >>
> >> This seems a weak reason to introduce SHA512 to the mix. Can we just
> >> make:
> >>
> >> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption
> key")
> >> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
> >
> > SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
> > make use of bip32 features. I though a single SHA512_HMAC operation is
> > cheaper and simpler then two SHA256_HMAC.
>
> Good point; I would argue that mistake has already been made. But I was
> looking at appropriating your work for lightning inter-node comms, and
> adding another hash algo seemed unnecessarily painful.
>
> > AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
> > Bitcoin-Core uses it for HTTP RPC auth and Tor control.
>
> It's also not clear to me why the HMAC, vs just
> SHA256(key|cipher-type|mesg). But that's probably just my crypto
> ignorance...
>
> Thanks!
> Rusty.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--
Xuesong (Arthur) Chen
Senior Principle Engineer
BlockChain Technologist
BTCC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/3e68c72a/attachment-0001.html>;
๐ Original message:HMAC has proven security property.
It is still secure even when underlying crypto hashing function has
collision resistant weakness.
For example, MD5 is considered completely insecure now, but HMAC-MD5 is
still considered secure.
When in doubt, we should always use HMAC for MAC(Message Authentication
Code) rather than custom construction
On Wed, Jun 29, 2016 at 9:00 AM, Rusty Russell via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> Jonas Schnelli <dev at jonasschnelli.ch> writes:
> >> To quote:
> >>
> >>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
> >>>
> >>> K_1 must be the left 32bytes of the HMAC_SHA512 hash.
> >>> K_2 must be the right 32bytes of the HMAC_SHA512 hash.
> >>
> >> This seems a weak reason to introduce SHA512 to the mix. Can we just
> >> make:
> >>
> >> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption
> key")
> >> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
> >
> > SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
> > make use of bip32 features. I though a single SHA512_HMAC operation is
> > cheaper and simpler then two SHA256_HMAC.
>
> Good point; I would argue that mistake has already been made. But I was
> looking at appropriating your work for lightning inter-node comms, and
> adding another hash algo seemed unnecessarily painful.
>
> > AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
> > Bitcoin-Core uses it for HTTP RPC auth and Tor control.
>
> It's also not clear to me why the HMAC, vs just
> SHA256(key|cipher-type|mesg). But that's probably just my crypto
> ignorance...
>
> Thanks!
> Rusty.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--
Xuesong (Arthur) Chen
Senior Principle Engineer
BlockChain Technologist
BTCC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/3e68c72a/attachment-0001.html>;