On Fri, Apr 13, 2012 at 1:51 PM, Marsh Ray <ma...@extendedsubset.com> wrote: > On 04/13/2012 02:38 PM, James A. Donald wrote: >> >> >> To construct a case where length extension matters, one must >> contrive a rather dreadful protocol. > > > http://vnhacker.blogspot.com/2009/09/flickrs-api-signature-forgery.html
Yes, I think that's quite common. Web developers tasked with adding authorization to requests seem to come up with tag = H(key | request) more often than not. I guess that's one really good thing about SHA-3 is that the next generation of those web developers, after SHA-2 is removed from standard libraries, will accidentally have safe auth. :-) I really don't know when that will be, though. I think they currently use SHA-1, and occasionally MD5, because those are the ones that they have heard about and they are prominently documented in their standard libraries. I suspect Linus Torvald's decision to use SHA-1 in git is going to mean that those web developers choose SHA-1 for many, many years to come. Regards, Zooko _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography