1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
Return-Path: <rusty@ozlabs.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 11057957
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 Jul 2016 03:25:32 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from ozlabs.org (ozlabs.org [103.22.144.67])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2AB1010E
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 Jul 2016 03:25:31 +0000 (UTC)
Received: by ozlabs.org (Postfix, from userid 1011)
id 3rghcl1SRsz9t0M; Fri, 1 Jul 2016 13:25:27 +1000 (AEST)
From: Rusty Russell <rusty@rustcorp.com.au>
To: Ethan Heilman <eth3rs@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
In-Reply-To: <CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
References: <87h9cecad5.fsf@rustcorp.com.au>
<577224E8.6070307@jonasschnelli.ch>
<8760ssdd1u.fsf@rustcorp.com.au>
<CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1
(x86_64-pc-linux-gnu)
Date: Fri, 01 Jul 2016 12:55:17 +0930
Message-ID: <87oa6iavky.fsf@rustcorp.com.au>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2016 03:25:32 -0000
Ethan Heilman <eth3rs@gmail.com> writes:
>>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
>
> If I have a tag y = SHA256(key|cipher-type|mesg), I can without
> knowing key or msg compute a value y' such that
> y' = SHA256(key|cipher-type|mesg|any values I want).
Not quite, there's an important subtlety that SHA256 appends the
bitlength, so you can only create:
y' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want).
But we're not using this for a MAC in BIP151, we're using this to
generate the encryption keys.
Arthur Chen <arthur.chen@btcc.com> said:
> HMAC has proven security property.
> It is still secure even when underlying crypto hashing function has
> collision resistant weakness.
> For example, MD5 is considered completely insecure now, but HMAC-MD5 is
> still considered secure.
> When in doubt, we should always use HMAC for MAC(Message Authentication
> Code) rather than custom construction
Bitcoin already relies on SHA256's robustness, but again, we don't need
a MAC here.
I'm happy to buy "we just copied ssh" if that's the answer, and I can't
see anything wrong with using HMAC here, it just seems odd...
Thanks!
Rusty.
|