Just to clarify in BIP-0151 when it says: >It is important to include the cipher-type into the symmetric cipher key to >avoid weak-cipher-attacks.
the cipher-type here refers to the ECDH negotiation parameters? On Wed, Jun 29, 2016 at 2:58 AM, Pieter Wuille <pieter.wui...@gmail.com> wrote: > On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" > <bitcoin-dev@lists.linuxfoundation.org> wrote: >> >> >It's also not clear to me why the HMAC, vs just >> > SHA256(key|cipher-type|mesg). But that's probably just my crypto >> > ignorance... >> >> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of >> the length extension property of SHA256. > > This property does technically not apply here, as the output of the hash is > kept secret, and the possible messages are constants (which are presumably > chosen in such a way that one is never an extension of another). > > However, this is a good example of why you can't generically use a hash > function in places where you want a MAC (aka "a hash with a shared secret"). > Furthermore, if you already have a hash function anyway, HMAC is very easy > construct on top of it. > > -- > Pieter _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
