>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). >But that's probably just my crypto ignorance...
SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of the length extension property of SHA256. If I have a tag y = SHA256(key|cipher-type|mesg), I can without knowing key or msg compute a value y' such that y' = SHA256(key|cipher-type|mesg|any values I want). Thus, an attacker can trivially forge a tag protected by SHA256(key|cipher-type|mesg). For more details see: https://web.archive.org/web/20141029080820/http://vudang.com/2012/03/md5-length-extension-attack/ On Tue, Jun 28, 2016 at 9:00 PM, Rusty Russell via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > Jonas Schnelli <d...@jonasschnelli.ch> writes: >>> To quote: >>> >>>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key"). >>>> >>>> K_1 must be the left 32bytes of the HMAC_SHA512 hash. >>>> K_2 must be the right 32bytes of the HMAC_SHA512 hash. >>> >>> This seems a weak reason to introduce SHA512 to the mix. Can we just >>> make: >>> >>> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key") >>> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key") >> >> SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow >> make use of bip32 features. I though a single SHA512_HMAC operation is >> cheaper and simpler then two SHA256_HMAC. > > Good point; I would argue that mistake has already been made. But I was > looking at appropriating your work for lightning inter-node comms, and > adding another hash algo seemed unnecessarily painful. > >> AFAIK, sha256_hmac is also not used by the current p2p & consensus layer. >> Bitcoin-Core uses it for HTTP RPC auth and Tor control. > > It's also not clear to me why the HMAC, vs just > SHA256(key|cipher-type|mesg). But that's probably just my crypto > ignorance... > > Thanks! > Rusty. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
