Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D3174721 for ; Wed, 29 Jun 2016 01:57:36 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com [209.85.213.47]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6335512F for ; Wed, 29 Jun 2016 01:57:35 +0000 (UTC) Received: by mail-vk0-f47.google.com with SMTP id k62so37070166vkb.3 for ; Tue, 28 Jun 2016 18:57:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=; b=aIwPxSkokGlDNkC8sHJ2a5fC8bRTMgtH015KxeSfmEGwnlfEzFUudoL3Bh3JoJgOoR opXOl7mHj06oHtcXCXkoCuz6K7YpT8dB/v+3LpRmF5NoEagB+jKn4hBSC7ixITBfpZ/b pjDtVPH89Uxo6RZSQQZrGNrwj47SPgwLPDZKqMy/SHH9O8+/hPSpLaHLIj4sdSWICJdP cxV9cgjyGomRDaCsZliBbUHS9OsPzNOtkgEi3rQxJv5F11Fko2jqE8wRBRF/6K71+GEj 84tm1gkqlCFDvdLouxtj8r0JPswoLXKjR60zpGDIyjGeRyt9jzLd4FqUYNYcQYjO4LS5 rfhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=; b=D55ZCqJz4RUU81bcLETOTMrP9gBIgfizlROEQt5A3AU466PP1L8wKjEEIf/wpFv6ii 2zMhxdnaOutjoAqEA9YNcZXzqc20XFFYr4H9OGEH2oVoe0hpiyISVVz50S0rlrZSeDIW /g7epjQNYXf90RKdIe1+qPrBCwLZKBluBSxuhTCtMdfKV0/ebaOUT5RlS/pCUxwMabHO +1N1fZZISOTq1KOueWvt/xNUR7c6LSvPCIq5SgN8rn+kcANx7XEiuJNuq0kKyKuj2nMe yOcr5+5/Kt8l01ehXX5Y0Bfbzzm4qZr88Ljh2fCUVkNoKMHvwc7RSsPTkFJlvqDd1Eu4 QByw== X-Gm-Message-State: ALyK8tLA+pQvq3Tq2K0eZgMM3Zxiv70QoG7fpmULrx1IVJx/UfWas5kkdsOV6JyYXIQofss8iHVWEXQILGIvAg== X-Received: by 10.31.16.101 with SMTP id g98mr2455378vki.105.1467165454425; Tue, 28 Jun 2016 18:57:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.68.132 with HTTP; Tue, 28 Jun 2016 18:56:55 -0700 (PDT) In-Reply-To: <8760ssdd1u.fsf@rustcorp.com.au> References: <87h9cecad5.fsf@rustcorp.com.au> <577224E8.6070307@jonasschnelli.ch> <8760ssdd1u.fsf@rustcorp.com.au> From: Ethan Heilman Date: Tue, 28 Jun 2016 21:56:55 -0400 Message-ID: To: Rusty Russell , Bitcoin Protocol Discussion Content-Type: text/plain; charset=UTF-8 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 29 Jun 2016 05:04:50 +0000 Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 01:57:37 -0000 >It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance... SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of the length extension property of SHA256. If I have a tag y = SHA256(key|cipher-type|mesg), I can without knowing key or msg compute a value y' such that y' = SHA256(key|cipher-type|mesg|any values I want). Thus, an attacker can trivially forge a tag protected by SHA256(key|cipher-type|mesg). For more details see: https://web.archive.org/web/20141029080820/http://vudang.com/2012/03/md5-length-extension-attack/ On Tue, Jun 28, 2016 at 9:00 PM, Rusty Russell via bitcoin-dev wrote: > Jonas Schnelli writes: >>> To quote: >>> >>>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key"). >>>> >>>> K_1 must be the left 32bytes of the HMAC_SHA512 hash. >>>> K_2 must be the right 32bytes of the HMAC_SHA512 hash. >>> >>> This seems a weak reason to introduce SHA512 to the mix. Can we just >>> make: >>> >>> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key") >>> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key") >> >> SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow >> make use of bip32 features. I though a single SHA512_HMAC operation is >> cheaper and simpler then two SHA256_HMAC. > > Good point; I would argue that mistake has already been made. But I was > looking at appropriating your work for lightning inter-node comms, and > adding another hash algo seemed unnecessarily painful. > >> AFAIK, sha256_hmac is also not used by the current p2p & consensus layer. >> Bitcoin-Core uses it for HTTP RPC auth and Tor control. > > It's also not clear to me why the HMAC, vs just > SHA256(key|cipher-type|mesg). But that's probably just my crypto > ignorance... > > Thanks! > Rusty. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev