On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote:
HASH_d(x) = HASH(HASH(x))
I pretty much always use the HASH_d technique, and that way I don't
have to spend time figuring out what length-extension attacks can or
can't do to my designs.
On 2012-04-14 1:50 AM, Marsh Ray wrote:
But now SHA-2 takes a 50% performance hit on messages of 55 bytes and
shorter. Sometimes these messages are very common. For example, it's
around half of TCP packets, and guaranteed to be at least half of all
messages processed by the hash in HMAC constructions. So something like
IPsec AH would see around a 66% loss in performance if its bottleneck
were actually the authentication (estimating from a handy packet capture).
In typical applications, computational power is not the bottleneck. The
bottleneck is net bandwidth or round trip time, so the computational
cost seldom matters.
On the other hand, it is difficult for me to imagine a case where the
length extension attack gains the attacker anything, apart from the case
where one prepends a shared secret to the material to be hashed after
encryption and uses ECB encryption, rather than appending a shared
secret, or hashing before encryption and after decryption.
To construct a case where length extension matters, one must contrive a
rather dreadful protocol.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
