On 04/14/2012 06:39 AM, David Adamson wrote:
NSA designed SHA-2 to stay in libraries for a long time. Length
extension is not an issue for SHA-2 anymore with SHA-512/256. That is
a double-pipe hash function perfectly secure against length-extension
attack. On 64-bit platforms SHA512 and
On Fri Apr 13 23:36:26 EDT 2012 Zooko Wilcox-O'Hearn zooko at zooko.com wrote:
I guess that's one really good thing about SHA-3 is that the next generation
of
those web developers, after SHA-2 is removed from standard libraries, will
accidentally have safe auth. :-)
I really don't know
If you're using one of the pre-SHA-3 error secure hash functions which
is vulnerable to length-extension attacks (e.g. SHA-256), then a good
fix is the HASH_d technique suggested in Ferguson and Schneier's
Practical Cryptography book (whose new edition is Ferguson,
Schneier, and Kohno's
On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote:
HASH_d(x) = HASH(HASH(x))
I pretty much always use the HASH_d technique, and that way I don't
have to spend time figuring out what length-extension attacks can or
can't do to my designs.
On 2012-04-14 1:50 AM, Marsh Ray wrote:
But now SHA-2
On Fri, Apr 13, 2012 at 9:50 AM, Marsh Ray ma...@extendedsubset.com wrote:
But now SHA-2 takes a 50% performance hit on messages of 55 bytes and shorter.
Good point.
So something like IPsec AH would see around a 66% loss in performance if its
bottleneck were actually the authentication
On Fri, Apr 13, 2012 at 1:51 PM, Marsh Ray ma...@extendedsubset.com wrote:
On 04/13/2012 02:38 PM, James A. Donald wrote:
To construct a case where length extension matters, one must
contrive a rather dreadful protocol.
