Yes, when the SHA-3 process was launched—in the exciting time when MD5
and SHA-1 had been dramatically shown to be weak—it seemed like we
were in danger of waking up one day and finding out that we had no
strong hash functions left. It was prudent to get started on SHA-3
ASAP in order to have an
If you're using one of the pre-SHA-3 error secure hash functions which
is vulnerable to length-extension attacks (e.g. SHA-256), then a good
fix is the HASH_d technique suggested in Ferguson and Schneier's
Practical Cryptography book (whose new edition is Ferguson,
Schneier, and Kohno's
On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote:
HASH_d(x) = HASH(HASH(x))
I pretty much always use the HASH_d technique, and that way I don't
have to spend time figuring out what length-extension attacks can or
can't do to my designs.
On 2012-04-14 1:50 AM, Marsh Ray wrote:
But now SHA-2
On Fri, Apr 13, 2012 at 9:50 AM, Marsh Ray ma...@extendedsubset.com wrote:
But now SHA-2 takes a 50% performance hit on messages of 55 bytes and shorter.
Good point.
So something like IPsec AH would see around a 66% loss in performance if its
bottleneck were actually the authentication
On Fri, Apr 13, 2012 at 1:51 PM, Marsh Ray ma...@extendedsubset.com wrote:
On 04/13/2012 02:38 PM, James A. Donald wrote:
To construct a case where length extension matters, one must
contrive a rather dreadful protocol.