On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote:
HASH_d(x) = HASH(HASH(x))
I pretty much always use the HASH_d technique, and that way I don't
have to spend time figuring out what length-extension attacks can or
can't do to my designs.
On 2012-04-14 1:50 AM, Marsh Ray wrote:
But now SHA-2
On 04/13/2012 02:38 PM, James A. Donald wrote:
To construct a case where length extension matters, one must
contrive a rather dreadful protocol.
http://vnhacker.blogspot.com/2009/09/flickrs-api-signature-forgery.html
Date Published: Sep. 28, 2009
Advisory ID: MOCB-01
Advisory URL:
http://n
On Fri, Apr 13, 2012 at 1:51 PM, Marsh Ray wrote:
> On 04/13/2012 02:38 PM, James A. Donald wrote:
>>
>>
>> To construct a case where length extension matters, one must
>> contrive a rather dreadful protocol.
>
>
> http://vnhacker.blogspot.com/2009/09/flickrs-api-signature-forgery.html
Yes, I thi
If you're using one of the pre-SHA-3 error secure hash functions which
is vulnerable to length-extension attacks (e.g. SHA-256), then a good
fix is the "HASH_d" technique suggested in Ferguson and Schneier's
"Practical Cryptography" book (whose new edition is Ferguson,
Schneier, and Kohno's "Crypto
On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote:
HASH_d(x) = HASH(HASH(x))
I pretty much always use the HASH_d technique, and that way I don't
have to spend time figuring out what length-extension attacks can or
can't do to my designs.
But now SHA-2 takes a 50% performance hit on messages
On Fri, Apr 13, 2012 at 9:50 AM, Marsh Ray wrote:
>
> But now SHA-2 takes a 50% performance hit on messages of 55 bytes and shorter.
Good point.
> So something like IPsec AH would see around a 66% loss in performance if its
> bottleneck were actually the authentication (estimating from a handy
On Fri Apr 13 23:36:26 EDT 2012 Zooko Wilcox-O'Hearn zooko at zooko.com wrote:
> I guess that's one really good thing about SHA-3 is that the next generation
> of
> those web developers, after SHA-2 is removed from standard libraries, will
> accidentally have safe auth. :-)
>
> I really don't kno
On 04/14/2012 06:39 AM, David Adamson wrote:
NSA designed SHA-2 to stay in libraries for a long time. Length
extension is not an issue for SHA-2 anymore with SHA-512/256. That is
a double-pipe hash function perfectly secure against length-extension
attack. On 64-bit platforms SHA512 and SHA512/2
