📅 Original date posted:2016-07-01
📝 Original message:Ethan Heilman <eth3rs at gmail.com> writes:
>>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
>
> If I have a tag y = SHA256(key|cipher-type|mesg), I can without
> knowing key or msg compute a value y' such that
> y' = SHA256(key|cipher-type|mesg|any values I want).
Not quite, there's an important subtlety that SHA256 appends the
bitlength, so you can only create:
y' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want).
But we're not using this for a MAC in BIP151, we're using this to
generate the encryption keys.
Arthur Chen <arthur.chen at btcc.com> said:
> HMAC has proven security property.
> It is still secure even when underlying crypto hashing function has
> collision resistant weakness.
> For example, MD5 is considered completely insecure now, but HMAC-MD5 is
> still considered secure.
> When in doubt, we should always use HMAC for MAC(Message Authentication
> Code) rather than custom construction
Bitcoin already relies on SHA256's robustness, but again, we don't need
a MAC here.
I'm happy to buy "we just copied ssh" if that's the answer, and I can't
see anything wrong with using HMAC here, it just seems odd...
Thanks!
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 17:51:50
in reply to nevent1q…p0ms
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 17:51:50Event JSON
{
"id": "1849cda7f53e729491a1bdac8f24072d89014d281827bc72b531ca66f16d0676",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686160310,
"kind": 1,
"tags": [
[
"e",
"5411372fddc2b2fd8c71c0e9a789082671451a41708cb3a5a829137d1dd19754",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2016-07-01\n📝 Original message:Ethan Heilman \u003ceth3rs at gmail.com\u003e writes:\n\u003e\u003eIt's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance...\n\u003e\n\u003e SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of\n\u003e the length extension property of SHA256.\n\u003e\n\u003e If I have a tag y = SHA256(key|cipher-type|mesg), I can without\n\u003e knowing key or msg compute a value y' such that\n\u003e y' = SHA256(key|cipher-type|mesg|any values I want).\n\nNot quite, there's an important subtlety that SHA256 appends the\nbitlength, so you can only create:\n\ny' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want).\n\nBut we're not using this for a MAC in BIP151, we're using this to\ngenerate the encryption keys.\n\nArthur Chen \u003carthur.chen at btcc.com\u003e said:\n\u003e HMAC has proven security property.\n\u003e It is still secure even when underlying crypto hashing function has\n\u003e collision resistant weakness.\n\u003e For example, MD5 is considered completely insecure now, but HMAC-MD5 is\n\u003e still considered secure.\n\u003e When in doubt, we should always use HMAC for MAC(Message Authentication\n\u003e Code) rather than custom construction\n\nBitcoin already relies on SHA256's robustness, but again, we don't need\na MAC here.\n\nI'm happy to buy \"we just copied ssh\" if that's the answer, and I can't\nsee anything wrong with using HMAC here, it just seems odd...\n\nThanks!\nRusty.",
"sig": "e5defc888b7e4f69b5f2b50ddbfbef393c0cfa63ccfdf1f3bbd2eed3556ab98faea0c1cb86fc8d1e925d65c50bffcba801b1adc1d2d76e0a3488cc9ee2db2ac5"
}