1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
Return-Path: <eth3rs@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 691673EE
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 14:39:25 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f52.google.com (mail-vk0-f52.google.com
[209.85.213.52])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 34F9622D
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 14:39:24 +0000 (UTC)
Received: by mail-vk0-f52.google.com with SMTP id m127so9111707vkb.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 07:39:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=eT5Jx1nCNMRlI48ypPR5aLiDI9k+6dJiTnTzesi20Qk=;
b=rhx6NXEXAbrZCcccRH2sJnTFESau/lzh5/UhPy981bondu4Rlq9UxTVi8SANFFqjgI
Y1G9JP9yhgsb06etJdYc9sooe2uhTlhrmvpKTl7VPV+YrziDEW3xgwBYwCVfCvDlYQtT
3XVA88S/u8v492v/3mLaV6FJX1JXC/0U0qQe1/38kSP1V2Lj7DP02VtPM4gTJC540Qlk
EHjiSW1nR/vzf4rhDoq4hQENmPIRjU5ktt1w2NlgXEl9sYYF2c1/8xBeRMbFIzPv1Qty
W5ObIxgP2Ee4DaXa5PUC6hiFH0wez1RivqvIX4ryXY9IJaVj152GxEF+xhWOIMRilQ75
J8cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=eT5Jx1nCNMRlI48ypPR5aLiDI9k+6dJiTnTzesi20Qk=;
b=T/iUvBoaMoG60eec1Wm3c8SpjWIDSOWx/PSd9iEDUAwSyAkmlU/4NPKhTz6Vsz49Ud
iKoV4pbnVzkBreZGXpW59EZSPyOMfxER3gpl3xeun5ZmXxJ0IcekH9tdV8lb8uZiKkTR
jcR2tq5VLDLx4/a14f7WrX3WHsEC7clQIHaXt92yF+hfkYsoPrvEUGchkdmZIieU4i2y
23MsOms2b2bdu2dHSPZUAEspehYoQruII19xIOKC4s3eQ8aGbu21iXwQUsI5u3W/hn+8
cZrk3u+btfTeFHQlF/evAQPTUdAH5CN8vR+fRsTlsqenujrwdU2GT3NX1cGBlTvcfnXp
bgyA==
X-Gm-Message-State: ALyK8tLETGr+MUZoZY4lAALt+3xtIxhogugR/MBCOUtFhFkQMAFp4RaIhO41pp+4ER650EJ/XQfF6ZUYxjfFrw==
X-Received: by 10.159.32.16 with SMTP id 16mr3909271uam.77.1467211163316; Wed,
29 Jun 2016 07:39:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.68.132 with HTTP; Wed, 29 Jun 2016 07:38:43 -0700 (PDT)
In-Reply-To: <CAPg+sBj3QRGYUzJn96ZS4bf1ZEH9KTwF+OxPXE-O_YJA66grBg@mail.gmail.com>
References: <87h9cecad5.fsf@rustcorp.com.au>
<577224E8.6070307@jonasschnelli.ch>
<8760ssdd1u.fsf@rustcorp.com.au>
<CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
<CAPg+sBj3QRGYUzJn96ZS4bf1ZEH9KTwF+OxPXE-O_YJA66grBg@mail.gmail.com>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Wed, 29 Jun 2016 10:38:43 -0400
Message-ID: <CAEM=y+X5uT+UbB1f6+ynsWW4ZsxEE4X0-PbHqWXEWz_mUj8Y2w@mail.gmail.com>
To: Pieter Wuille <pieter.wuille@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 29 Jun 2016 16:08:49 +0000
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 14:39:25 -0000
Just to clarify in BIP-0151 when it says:
>It is important to include the cipher-type into the symmetric cipher key to avoid weak-cipher-attacks.
the cipher-type here refers to the ECDH negotiation parameters?
On Wed, Jun 29, 2016 at 2:58 AM, Pieter Wuille <pieter.wuille@gmail.com> wrote:
> On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev"
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> >It's also not clear to me why the HMAC, vs just
>> > SHA256(key|cipher-type|mesg). But that's probably just my crypto
>> > ignorance...
>>
>> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
>> the length extension property of SHA256.
>
> This property does technically not apply here, as the output of the hash is
> kept secret, and the possible messages are constants (which are presumably
> chosen in such a way that one is never an extension of another).
>
> However, this is a good example of why you can't generically use a hash
> function in places where you want a MAC (aka "a hash with a shared secret").
> Furthermore, if you already have a hash function anyway, HMAC is very easy
> construct on top of it.
>
> --
> Pieter
|
