From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 691673EE for ; Wed, 29 Jun 2016 14:39:25 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-vk0-f52.google.com (mail-vk0-f52.google.com [209.85.213.52]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 34F9622D for ; Wed, 29 Jun 2016 14:39:24 +0000 (UTC) Received: by mail-vk0-f52.google.com with SMTP id m127so9111707vkb.3 for ; Wed, 29 Jun 2016 07:39:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eT5Jx1nCNMRlI48ypPR5aLiDI9k+6dJiTnTzesi20Qk=; b=rhx6NXEXAbrZCcccRH2sJnTFESau/lzh5/UhPy981bondu4Rlq9UxTVi8SANFFqjgI Y1G9JP9yhgsb06etJdYc9sooe2uhTlhrmvpKTl7VPV+YrziDEW3xgwBYwCVfCvDlYQtT 3XVA88S/u8v492v/3mLaV6FJX1JXC/0U0qQe1/38kSP1V2Lj7DP02VtPM4gTJC540Qlk EHjiSW1nR/vzf4rhDoq4hQENmPIRjU5ktt1w2NlgXEl9sYYF2c1/8xBeRMbFIzPv1Qty W5ObIxgP2Ee4DaXa5PUC6hiFH0wez1RivqvIX4ryXY9IJaVj152GxEF+xhWOIMRilQ75 J8cQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eT5Jx1nCNMRlI48ypPR5aLiDI9k+6dJiTnTzesi20Qk=; b=T/iUvBoaMoG60eec1Wm3c8SpjWIDSOWx/PSd9iEDUAwSyAkmlU/4NPKhTz6Vsz49Ud iKoV4pbnVzkBreZGXpW59EZSPyOMfxER3gpl3xeun5ZmXxJ0IcekH9tdV8lb8uZiKkTR jcR2tq5VLDLx4/a14f7WrX3WHsEC7clQIHaXt92yF+hfkYsoPrvEUGchkdmZIieU4i2y 23MsOms2b2bdu2dHSPZUAEspehYoQruII19xIOKC4s3eQ8aGbu21iXwQUsI5u3W/hn+8 cZrk3u+btfTeFHQlF/evAQPTUdAH5CN8vR+fRsTlsqenujrwdU2GT3NX1cGBlTvcfnXp bgyA== X-Gm-Message-State: ALyK8tLETGr+MUZoZY4lAALt+3xtIxhogugR/MBCOUtFhFkQMAFp4RaIhO41pp+4ER650EJ/XQfF6ZUYxjfFrw== X-Received: by 10.159.32.16 with SMTP id 16mr3909271uam.77.1467211163316; Wed, 29 Jun 2016 07:39:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.68.132 with HTTP; Wed, 29 Jun 2016 07:38:43 -0700 (PDT) In-Reply-To: References: <87h9cecad5.fsf@rustcorp.com.au> <577224E8.6070307@jonasschnelli.ch> <8760ssdd1u.fsf@rustcorp.com.au> From: Ethan Heilman Date: Wed, 29 Jun 2016 10:38:43 -0400 Message-ID: To: Pieter Wuille Content-Type: text/plain; charset=UTF-8 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 29 Jun 2016 16:08:49 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 14:39:25 -0000 Just to clarify in BIP-0151 when it says: >It is important to include the cipher-type into the symmetric cipher key to avoid weak-cipher-attacks. the cipher-type here refers to the ECDH negotiation parameters? On Wed, Jun 29, 2016 at 2:58 AM, Pieter Wuille wrote: > On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" > wrote: >> >> >It's also not clear to me why the HMAC, vs just >> > SHA256(key|cipher-type|mesg). But that's probably just my crypto >> > ignorance... >> >> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of >> the length extension property of SHA256. > > This property does technically not apply here, as the output of the hash is > kept secret, and the possible messages are constants (which are presumably > chosen in such a way that one is never an extension of another). > > However, this is a good example of why you can't generically use a hash > function in places where you want a MAC (aka "a hash with a shared secret"). > Furthermore, if you already have a hash function anyway, HMAC is very easy > construct on top of it. > > -- > Pieter