undefined | Better HN

0 pointssha2throwaway8y ago0 comments

Actually you do get some added security, because it prevents the length extension attacks sha-2 and related hash functions have thanks to the Merkle-Damgard construction [0]. Specifically, by truncating the hash, the output no longer contains enough state to perform the attack.

[0] https://en.wikipedia.org/wiki/Length_extension_attack

0 comments

loup-vaillant8y ago

There are better ways to prevent length extension attacks, such as choosing Blake2b. With the current scheme, only 12 bytes are missing, so Length extension attacks only get 96 bits of security…

Replacing SHA-1 with SHA-2, what are they thinking? Blake2 is faster and more secure than either.

simias8y ago

Nobody gets fired for choosing SHA-256. It's the de-facto standard these days, it's the most likely to have hardware acceleration etc... I think it's a pretty conservative choice.

Furthermore I don't think hash performance is very critical for bittorrent, after all it's generally I/O bound.

Could you even exploit length extension with bittorrent? Given that it cuts files in chunks of the same size it sounds pretty hard to sneak extra bytes in there.

loup-vaillant8y ago

> hardware acceleration

Ah, that would explain a lot. (Not in this particular case, but why it seems to be the default choice in many settings).

> Could you even exploit length extension with bittorrent?

No Idea. I was just responding to a general point.

derefr8y ago

They're probably thinking something about which hashes will get hardware-accelerated instructions provided on x86 and ARM.

loup-vaillant8y ago

Yeah, I keep forgetting about Hardware acceleration…

snakeanus8y ago

Length extension attacks are a non-issue for torrents.

j / k navigate · click thread line to collapse

0 comments

loup-vaillant8y ago

There are better ways to prevent length extension attacks, such as choosing Blake2b. With the current scheme, only 12 bytes are missing, so Length extension attacks only get 96 bits of security…

Replacing SHA-1 with SHA-2, what are they thinking? Blake2 is faster and more secure than either.

simias8y ago

Nobody gets fired for choosing SHA-256. It's the de-facto standard these days, it's the most likely to have hardware acceleration etc... I think it's a pretty conservative choice.

Furthermore I don't think hash performance is very critical for bittorrent, after all it's generally I/O bound.

Could you even exploit length extension with bittorrent? Given that it cuts files in chunks of the same size it sounds pretty hard to sneak extra bytes in there.

loup-vaillant8y ago

> hardware acceleration

Ah, that would explain a lot. (Not in this particular case, but why it seems to be the default choice in many settings).

> Could you even exploit length extension with bittorrent?

No Idea. I was just responding to a general point.

derefr8y ago

They're probably thinking something about which hashes will get hardware-accelerated instructions provided on x86 and ARM.

loup-vaillant8y ago

Yeah, I keep forgetting about Hardware acceleration…

snakeanus8y ago

Length extension attacks are a non-issue for torrents.

j / k navigate · click thread line to collapse