1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
Return-Path: <eth3rs@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id D3174721
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 01:57:36 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com
[209.85.213.47])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6335512F
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 29 Jun 2016 01:57:35 +0000 (UTC)
Received: by mail-vk0-f47.google.com with SMTP id k62so37070166vkb.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 28 Jun 2016 18:57:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=;
b=aIwPxSkokGlDNkC8sHJ2a5fC8bRTMgtH015KxeSfmEGwnlfEzFUudoL3Bh3JoJgOoR
opXOl7mHj06oHtcXCXkoCuz6K7YpT8dB/v+3LpRmF5NoEagB+jKn4hBSC7ixITBfpZ/b
pjDtVPH89Uxo6RZSQQZrGNrwj47SPgwLPDZKqMy/SHH9O8+/hPSpLaHLIj4sdSWICJdP
cxV9cgjyGomRDaCsZliBbUHS9OsPzNOtkgEi3rQxJv5F11Fko2jqE8wRBRF/6K71+GEj
84tm1gkqlCFDvdLouxtj8r0JPswoLXKjR60zpGDIyjGeRyt9jzLd4FqUYNYcQYjO4LS5
rfhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=5DVZAYB7Ma/nFs/pMfnHLtXx6zIsZ1pIUAVLdgUMhz4=;
b=D55ZCqJz4RUU81bcLETOTMrP9gBIgfizlROEQt5A3AU466PP1L8wKjEEIf/wpFv6ii
2zMhxdnaOutjoAqEA9YNcZXzqc20XFFYr4H9OGEH2oVoe0hpiyISVVz50S0rlrZSeDIW
/g7epjQNYXf90RKdIe1+qPrBCwLZKBluBSxuhTCtMdfKV0/ebaOUT5RlS/pCUxwMabHO
+1N1fZZISOTq1KOueWvt/xNUR7c6LSvPCIq5SgN8rn+kcANx7XEiuJNuq0kKyKuj2nMe
yOcr5+5/Kt8l01ehXX5Y0Bfbzzm4qZr88Ljh2fCUVkNoKMHvwc7RSsPTkFJlvqDd1Eu4
QByw==
X-Gm-Message-State: ALyK8tLA+pQvq3Tq2K0eZgMM3Zxiv70QoG7fpmULrx1IVJx/UfWas5kkdsOV6JyYXIQofss8iHVWEXQILGIvAg==
X-Received: by 10.31.16.101 with SMTP id g98mr2455378vki.105.1467165454425;
Tue, 28 Jun 2016 18:57:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.68.132 with HTTP; Tue, 28 Jun 2016 18:56:55 -0700 (PDT)
In-Reply-To: <8760ssdd1u.fsf@rustcorp.com.au>
References: <87h9cecad5.fsf@rustcorp.com.au>
<577224E8.6070307@jonasschnelli.ch>
<8760ssdd1u.fsf@rustcorp.com.au>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Tue, 28 Jun 2016 21:56:55 -0400
Message-ID: <CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
To: Rusty Russell <rusty@rustcorp.com.au>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset=UTF-8
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 29 Jun 2016 05:04:50 +0000
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 01:57:37 -0000
>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance...
SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
the length extension property of SHA256.
If I have a tag y = SHA256(key|cipher-type|mesg), I can without
knowing key or msg compute a value y' such that
y' = SHA256(key|cipher-type|mesg|any values I want).
Thus, an attacker can trivially forge a tag protected by
SHA256(key|cipher-type|mesg).
For more details see:
https://web.archive.org/web/20141029080820/http://vudang.com/2012/03/md5-length-extension-attack/
On Tue, Jun 28, 2016 at 9:00 PM, Rusty Russell via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> Jonas Schnelli <dev@jonasschnelli.ch> writes:
>>> To quote:
>>>
>>>> HMAC_SHA512(key=ecdh_secret|cipher-type,msg="encryption key").
>>>>
>>>> K_1 must be the left 32bytes of the HMAC_SHA512 hash.
>>>> K_2 must be the right 32bytes of the HMAC_SHA512 hash.
>>>
>>> This seems a weak reason to introduce SHA512 to the mix. Can we just
>>> make:
>>>
>>> K_1 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="header encryption key")
>>> K_2 = HMAC_SHA256(key=ecdh_secret|cipher-type,msg="body encryption key")
>>
>> SHA512_HMAC is used by BIP32 [1] and I guess most clients will somehow
>> make use of bip32 features. I though a single SHA512_HMAC operation is
>> cheaper and simpler then two SHA256_HMAC.
>
> Good point; I would argue that mistake has already been made. But I was
> looking at appropriating your work for lightning inter-node comms, and
> adding another hash algo seemed unnecessarily painful.
>
>> AFAIK, sha256_hmac is also not used by the current p2p & consensus layer.
>> Bitcoin-Core uses it for HTTP RPC auth and Tor control.
>
> It's also not clear to me why the HMAC, vs just
> SHA256(key|cipher-type|mesg). But that's probably just my crypto
> ignorance...
>
> Thanks!
> Rusty.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|
