Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 11057957 for ; Fri, 1 Jul 2016 03:25:32 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ozlabs.org (ozlabs.org [103.22.144.67]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2AB1010E for ; Fri, 1 Jul 2016 03:25:31 +0000 (UTC) Received: by ozlabs.org (Postfix, from userid 1011) id 3rghcl1SRsz9t0M; Fri, 1 Jul 2016 13:25:27 +1000 (AEST) From: Rusty Russell To: Ethan Heilman , Bitcoin Protocol Discussion In-Reply-To: References: <87h9cecad5.fsf@rustcorp.com.au> <577224E8.6070307@jonasschnelli.ch> <8760ssdd1u.fsf@rustcorp.com.au> User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Fri, 01 Jul 2016 12:55:17 +0930 Message-ID: <87oa6iavky.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 03:25:32 -0000 Ethan Heilman writes: >>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance... > > SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of > the length extension property of SHA256. > > If I have a tag y = SHA256(key|cipher-type|mesg), I can without > knowing key or msg compute a value y' such that > y' = SHA256(key|cipher-type|mesg|any values I want). Not quite, there's an important subtlety that SHA256 appends the bitlength, so you can only create: y' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want). But we're not using this for a MAC in BIP151, we're using this to generate the encryption keys. Arthur Chen said: > HMAC has proven security property. > It is still secure even when underlying crypto hashing function has > collision resistant weakness. > For example, MD5 is considered completely insecure now, but HMAC-MD5 is > still considered secure. > When in doubt, we should always use HMAC for MAC(Message Authentication > Code) rather than custom construction Bitcoin already relies on SHA256's robustness, but again, we don't need a MAC here. I'm happy to buy "we just copied ssh" if that's the answer, and I can't see anything wrong with using HMAC here, it just seems odd... Thanks! Rusty.