📅 Original date posted:2016-06-29
📝 Original message:On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" <
bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> >It's also not clear to me why the HMAC, vs just
SHA256(key|cipher-type|mesg). But that's probably just my crypto
ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
This property does technically not apply here, as the output of the hash is
kept secret, and the possible messages are constants (which are presumably
chosen in such a way that one is never an extension of another).
However, this is a good example of why you can't generically use a hash
function in places where you want a MAC (aka "a hash with a shared
secret"). Furthermore, if you already have a hash function anyway, HMAC is
very easy construct on top of it.
--
Pieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/72f9c103/attachment.html>;
Pieter Wuille [ARCHIVE] /
npub1tj…jtl6r
2023-06-07 17:51:35
in reply to nevent1q…v7wm
Author Public Key
npub1tjephawh7fdf6358jufuh5eyxwauzrjqa7qn50pglee4tayc2ntqcjtl6rPublished at
2023-06-07 17:51:35Event JSON
{
"id": "66017148045ff672155d39064fc418bb8ca7301b328a579ca7666289abaf002b",
"pubkey": "5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6",
"created_at": 1686160295,
"kind": 1,
"tags": [
[
"e",
"865ae9660ffa796d019b6409907548cf0d8cccc89b3d009b0f6e17232981afa9",
"",
"root"
],
[
"e",
"f8d908387b39c4b5bde130a42fdbe9a435ef31b43624e8faff15a4aaa263beba",
"",
"reply"
],
[
"p",
"4760277fc06bd72dcdd8ef76810910d8852fb3f9d584f5b75a0bba7168ac81a0"
]
],
"content": "📅 Original date posted:2016-06-29\n📝 Original message:On Jun 29, 2016 07:05, \"Ethan Heilman via bitcoin-dev\" \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\n\u003e \u003eIt's also not clear to me why the HMAC, vs just\nSHA256(key|cipher-type|mesg). But that's probably just my crypto\nignorance...\n\u003e\n\u003e SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of\n\u003e the length extension property of SHA256.\n\nThis property does technically not apply here, as the output of the hash is\nkept secret, and the possible messages are constants (which are presumably\nchosen in such a way that one is never an extension of another).\n\nHowever, this is a good example of why you can't generically use a hash\nfunction in places where you want a MAC (aka \"a hash with a shared\nsecret\"). Furthermore, if you already have a hash function anyway, HMAC is\nvery easy construct on top of it.\n\n-- \nPieter\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/72f9c103/attachment.html\u003e",
"sig": "709b8d1ad99dc4a7f02b9a4f52b68a13fe9f779a6c88a1504f23e8d37b745b78ffbcb957c9df705fc8d9b9cc60693b9ade21d4ffb4895735bf85ccc955fe38cc"
}