If you're using one of the pre-SHA-3 error secure hash functions which is vulnerable to length-extension attacks (e.g. SHA-256), then a good fix is the "HASH_d" technique suggested in Ferguson and Schneier's "Practical Cryptography" book (whose new edition is Ferguson, Schneier, and Kohno's "Cryptography Engineering" book).
HASH_d(x) = HASH(HASH(x)) That puts a stop to all length-extension attacks, and seems pretty unlikely to introduce any other problems in a good hash function like SHA-256. I pretty much always use the HASH_d technique, and that way I don't have to spend time figuring out what length-extension attacks can or can't do to my designs. Of course, once you upgrade to a shiny new hash function with built-in protection against length-extension attack, then you should drop the HASH_d technique. Regards, Zooko _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
