diff options
| author | Ethan Heilman <eth3rs@gmail.com> | 2016-06-28 21:56:55 -0400 |
|---|---|---|
| committer | bitcoindev <bitcoindev@gnusha.org> | 2016-06-29 01:57:36 +0000 |
| commit | 1b08cef39c9b524f2e09ce6dbdd0c67afa2467da (patch) | |
| tree | 45a37010523a035571a30394f0c66723d6a32133 | |
| parent | 6e6b63bd8405d738c607c5577261f7262f78b1b6 (diff) | |
| download | pi-bitcoindev-1b08cef39c9b524f2e09ce6dbdd0c67afa2467da.tar.gz pi-bitcoindev-1b08cef39c9b524f2e09ce6dbdd0c67afa2467da.zip | |
Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
| -rw-r--r-- | 1d/4d90495e8fd695b53f9ef021c0bbf6cb44d4fa | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/1d/4d90495e8fd695b53f9ef021c0bbf6cb44d4fa b/1d/4d90495e8fd695b53f9ef021c0bbf6cb44d4fa new file mode 100644 index 000000000..1c4f7b75f --- /dev/null +++ b/1d/4d90495e8fd695b53f9ef021c0bbf6cb44d4fa @@ -0,0 +1,123 @@ +Return-Path: <eth3rs@gmail.com> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id D3174721 + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 29 Jun 2016 01:57:36 +0000 (UTC) +X-Greylist: whitelisted by SQLgrey-1.7.6 +Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com + [209.85.213.47]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6335512F + for <bitcoin-dev@lists.linuxfoundation.org>; + Wed, 29 Jun 2016 01:57:35 +0000 (UTC) +Received: by mail-vk0-f47.google.com with SMTP id k62so37070166vkb.3 + for <bitcoin-dev@lists.linuxfoundation.org>; + Tue, 28 Jun 2016 18:57:35 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; + h=mime-version:in-reply-to:references:from:date:message-id:subject:to + :cc; bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=; + b=aIwPxSkokGlDNkC8sHJ2a5fC8bRTMgtH015KxeSfmEGwnlfEzFUudoL3Bh3JoJgOoR + opXOl7mHj06oHtcXCXkoCuz6K7YpT8dB/v+3LpRmF5NoEagB+jKn4hBSC7ixITBfpZ/b + pjDtVPH89Uxo6RZSQQZrGNrwj47SPgwLPDZKqMy/SHH9O8+/hPSpLaHLIj4sdSWICJdP + cxV9cgjyGomRDaCsZliBbUHS9OsPzNOtkgEi3rQxJv5F11Fko2jqE8wRBRF/6K71+GEj + 84tm1gkqlCFDvdLouxtj8r0JPswoLXKjR60zpGDIyjGeRyt9jzLd4FqUYNYcQYjO4LS5 + rfhw== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20130820; + h=x-gm-message-state:mime-version:in-reply-to:references:from:date + :message-id:subject:to:cc; + bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=; + b=D55ZCqJz4RUU81bcLETOTMrP9gBIgfizlROEQt5A3AU466PP1L8wKjEEIf/wpFv6ii + 2zMhxdnaOutjoAqEA9YNcZXzqc20XFFYr4H9OGEH2oVoe0hpiyISVVz50S0rlrZSeDIW + /g7epjQNYXf90RKdIe1+qPrBCwLZKBluBSxuhTCtMdfKV0/ebaOUT5RlS/pCUxwMabHO + +1N1fZZISOTq1KOueWvt/xNUR7c6LSvPCIq5SgN8rn+kcANx7XEiuJNuq0kKyKuj2nMe + yOcr5+5/Kt8l01ehXX5Y0Bfbzzm4qZr88Ljh2fCUVkNoKMHvwc7RSsPTkFJlvqDd1Eu4 + QByw== +X-Gm-Message-State: ALyK8tLA+pQvq3Tq2K0eZgMM3Zxiv70QoG7fpmULrx1IVJx/UfWas5kkdsOV6JyYXIQofss8iHVWEXQILGIvAg== +X-Received: by 10.31.16.101 with SMTP id g98mr2455378vki.105.1467165454425; + Tue, 28 Jun 2016 18:57:34 -0700 (PDT) +MIME-Version: 1.0 +Received: by 10.176.68.132 with HTTP; Tue, 28 Jun 2016 18:56:55 -0700 (PDT) +In-Reply-To: <8760ssdd1u.fsf@rustcorp.com.au> +References: <87h9cecad5.fsf@rustcorp.com.au> + <577224E8.6070307@jonasschnelli.ch> + <8760ssdd1u.fsf@rustcorp.com.au> +From: Ethan Heilman <eth3rs@gmail.com> +Date: Tue, 28 Jun 2016 21:56:55 -0400 +Message-ID: <CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com> +To: Rusty Russell <rusty@rustcorp.com.au>, + Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> +Content-Type: text/plain; charset=UTF-8 +X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, + RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +X-Mailman-Approved-At: Wed, 29 Jun 2016 05:04:50 +0000 +Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512 +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Wed, 29 Jun 2016 01:57:37 -0000 + +>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance... + +SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of +the length extension property of SHA256. + +If I have a tag y = SHA256(key|cipher-type|mesg), I can without +knowing key or msg compute a value y' such that +y' = SHA256(key|cipher-type|mesg|any values I want). + +Thus, an attacker can trivially forge a tag protected by +SHA256(key|cipher-type|mesg). + +For more details see: +https://web.archive.org/web/20141029080820/http://vudang.com/2012/03/md5-length-extension-attack/ + +On Tue, Jun 28, 2016 at 9:00 PM, Rusty Russell via bitcoin-dev +<bitcoin-dev@lists.linuxfoundation.org> wrote: +> Jonas Schnelli <dev@jonasschnelli.ch> writes: +>>> To quote: +>>> +>>>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key"). +>>>> +>>>> K_1 must be the left 32bytes of the HMAC_SHA512 hash. +>>>> K_2 must be the right 32bytes of the HMAC_SHA512 hash. +>>> +>>> This seems a weak reason to introduce SHA512 to the mix. Can we just +>>> make: +>>> +>>> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key") +>>> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key") +>> +>> SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow +>> make use of bip32 features. I though a single SHA512_HMAC operation is +>> cheaper and simpler then two SHA256_HMAC. +> +> Good point; I would argue that mistake has already been made. But I was +> looking at appropriating your work for lightning inter-node comms, and +> adding another hash algo seemed unnecessarily painful. +> +>> AFAIK, sha256_hmac is also not used by the current p2p & consensus layer. +>> Bitcoin-Core uses it for HTTP RPC auth and Tor control. +> +> It's also not clear to me why the HMAC, vs just +> SHA256(key|cipher-type|mesg). But that's probably just my crypto +> ignorance... +> +> Thanks! +> Rusty. +> _______________________________________________ +> bitcoin-dev mailing list +> bitcoin-dev@lists.linuxfoundation.org +> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev + |