Ethan Heilman <eth...@gmail.com> writes: >>It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). >> But that's probably just my crypto ignorance... > > SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of > the length extension property of SHA256. > > If I have a tag y = SHA256(key|cipher-type|mesg), I can without > knowing key or msg compute a value y' such that > y' = SHA256(key|cipher-type|mesg|any values I want).
Not quite, there's an important subtlety that SHA256 appends the bitlength, so you can only create: y' = SHA256(key|cipher-type|mesg|padding|bitlength|any values I want). But we're not using this for a MAC in BIP151, we're using this to generate the encryption keys. Arthur Chen <arthur.c...@btcc.com> said: > HMAC has proven security property. > It is still secure even when underlying crypto hashing function has > collision resistant weakness. > For example, MD5 is considered completely insecure now, but HMAC-MD5 is > still considered secure. > When in doubt, we should always use HMAC for MAC(Message Authentication > Code) rather than custom construction Bitcoin already relies on SHA256's robustness, but again, we don't need a MAC here. I'm happy to buy "we just copied ssh" if that's the answer, and I can't see anything wrong with using HMAC here, it just seems odd... Thanks! Rusty. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev