Return-Path: <eth3rs@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id D3174721
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 29 Jun 2016 01:57:36 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com
	[209.85.213.47])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6335512F
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 29 Jun 2016 01:57:35 +0000 (UTC)
Received: by mail-vk0-f47.google.com with SMTP id k62so37070166vkb.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 28 Jun 2016 18:57:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=;
	b=aIwPxSkokGlDNkC8sHJ2a5fC8bRTMgtH015KxeSfmEGwnlfEzFUudoL3Bh3JoJgOoR
	opXOl7mHj06oHtcXCXkoCuz6K7YpT8dB/v+3LpRmF5NoEagB+jKn4hBSC7ixITBfpZ/b
	pjDtVPH89Uxo6RZSQQZrGNrwj47SPgwLPDZKqMy/SHH9O8+/hPSpLaHLIj4sdSWICJdP
	cxV9cgjyGomRDaCsZliBbUHS9OsPzNOtkgEi3rQxJv5F11Fko2jqE8wRBRF/6K71+GEj
	84tm1gkqlCFDvdLouxtj8r0JPswoLXKjR60zpGDIyjGeRyt9jzLd4FqUYNYcQYjO4LS5
	rfhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=;
	b=D55ZCqJz4RUU81bcLETOTMrP9gBIgfizlROEQt5A3AU466PP1L8wKjEEIf/wpFv6ii
	2zMhxdnaOutjoAqEA9YNcZXzqc20XFFYr4H9OGEH2oVoe0hpiyISVVz50S0rlrZSeDIW
	/g7epjQNYXf90RKdIe1+qPrBCwLZKBluBSxuhTCtMdfKV0/ebaOUT5RlS/pCUxwMabHO
	+1N1fZZISOTq1KOueWvt/xNUR7c6LSvPCIq5SgN8rn+kcANx7XEiuJNuq0kKyKuj2nMe
	yOcr5+5/Kt8l01ehXX5Y0Bfbzzm4qZr88Ljh2fCUVkNoKMHvwc7RSsPTkFJlvqDd1Eu4
	QByw==
X-Gm-Message-State: ALyK8tLA+pQvq3Tq2K0eZgMM3Zxiv70QoG7fpmULrx1IVJx/UfWas5kkdsOV6JyYXIQofss8iHVWEXQILGIvAg==
X-Received: by 10.31.16.101 with SMTP id g98mr2455378vki.105.1467165454425;
	Tue, 28 Jun 2016 18:57:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.68.132 with HTTP; Tue, 28 Jun 2016 18:56:55 -0700 (PDT)
In-Reply-To: <8760ssdd1u.fsf@rustcorp.com.au>
References: <87h9cecad5.fsf@rustcorp.com.au>
	<577224E8.6070307@jonasschnelli.ch>
	<8760ssdd1u.fsf@rustcorp.com.au>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Tue, 28 Jun 2016 21:56:55 -0400
Message-ID: <CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
To: Rusty Russell <rusty@rustcorp.com.au>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset=UTF-8
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 29 Jun 2016 05:04:50 +0000
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 01:57:37 -0000

>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg).  But that's probably just my crypto ignorance...

SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
the length extension property of SHA256.

If I have a tag y = SHA256(key|cipher-type|mesg), I can without
knowing key or msg compute a value y' such that
y' = SHA256(key|cipher-type|mesg|any values I want).

Thus, an attacker can trivially forge a tag protected by
SHA256(key|cipher-type|mesg).

For more details see:
https://web.archive.org/web/20141029080820/http://vudang.com/2012/03/md5-length-extension-attack/

On Tue, Jun 28, 2016 at 9:00 PM, Rusty Russell via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> Jonas Schnelli <dev@jonasschnelli.ch> writes:
>>> To quote:
>>>
>>>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
>>>>
>>>>  K_1 must be the left 32bytes of the HMAC_SHA512 hash.
>>>>  K_2 must be the right 32bytes of the HMAC_SHA512 hash.
>>>
>>> This seems a weak reason to introduce SHA512 to the mix.  Can we just
>>> make:
>>>
>>> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key")
>>> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
>>
>> SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
>> make use of bip32 features. I though a single SHA512_HMAC operation is
>> cheaper and simpler then two SHA256_HMAC.
>
> Good point; I would argue that mistake has already been made.  But I was
> looking at appropriating your work for lightning inter-node comms, and
> adding another hash algo seemed unnecessarily painful.
>
>> AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
>> Bitcoin-Core uses it for HTTP RPC auth and Tor control.
>
> It's also not clear to me why the HMAC, vs just
> SHA256(key|cipher-type|mesg).  But that's probably just my crypto
> ignorance...
>
> Thanks!
> Rusty.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev