Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://akko.erincandescent.net/objects/ebd717f7-737a-40f4-ad0f-b73c62ab17c2">Erin 💽✨ (erincandescent@akko.erincandescent.net)'s status on Sunday, 24-Nov-2024 01:08:13 JST</a><a href="https://akko.erincandescent.net/users/erincandescent" title="erincandescent@akko.erincandescent.net"><img src="https://gnusocial.jp/avatar/242079-48-20240514235327.webp" width="48" height="48" alt="Erin 💽✨" style="position: absolute; left: 0; top: 0;">Erin 💽✨</a><div><a href="https://social.coop/@cwebber/113527462572885698" rel="in-reply-to">in reply to</a></div></section><article><p><a href="https://social.coop/@cwebber">@cwebber</a> Some notes:</p><p>(Also choosing sha256 over sha256d, there’s maybe the question of length extension attacks, but I suppose the parsing of the document means this is maybe not a problem, I’m not sure.)</p><p>So a fun thing amout merkle-damgård hash functions is that they’re only subject to length extension attacks if used at full length. If truncated they’re not vulnerable. So SHA-256 and SHA-512 are vulnerable, but SHA-224 (which is SHA-256 with different constants and truncated to 224 bits) and SHA-384 (which is SHA-512 with initial different initial constants and truncated to 384 bits) are not. Back in 2012 NIST standardised SHA-512/224 and SHA-512/256 which are similarly truncated versions of SHA-512 with different initial constants which also sidestep the length extension attack issue.</p><p>Anyway this is to say that because they truncated the hash in did:plc identifiers (to a level which feels unwise to me too!) they’re immune to length extension attcks.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4051727#notice-7928281">In conversation</a><time datetime="2024-11-24T01:08:13+09:00" title="Sunday, 24-Nov-2024 01:08:13 JST">about 7 months ago</time> <span>from <span><a href="https://akko.erincandescent.net/objects/ebd717f7-737a-40f4-ad0f-b73c62ab17c2" rel="external" title="Sent from akko.erincandescent.net via ActivityPub">akko.erincandescent.net</a></span></span><a href="https://akko.erincandescent.net/objects/ebd717f7-737a-40f4-ad0f-b73c62ab17c2">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Erin 💽✨ (erincandescent@akko.erincandescent.net)'s status on Sunday, 24-Nov-2024 01:08:13 JST Erin 💽✨
in reply to
@cwebber Some notes:
(Also choosing sha256 over sha256d, there’s maybe the question of length extension attacks, but I suppose the parsing of the document means this is maybe not a problem, I’m not sure.)
So a fun thing amout merkle-damgård hash functions is that they’re only subject to length extension attacks if used at full length. If truncated they’re not vulnerable. So SHA-256 and SHA-512 are vulnerable, but SHA-224 (which is SHA-256 with different constants and truncated to 224 bits) and SHA-384 (which is SHA-512 with initial different initial constants and truncated to 384 bits) are not. Back in 2012 NIST standardised SHA-512/224 and SHA-512/256 which are similarly truncated versions of SHA-512 with different initial constants which also sidestep the length extension attack issue.
Anyway this is to say that because they truncated the hash in did:plc identifiers (to a level which feels unwise to me too!) they’re immune to length extension attcks.
In conversationabout 7 months ago from akko.erincandescent.netpermalink

Public

Embed Notice

HTML Code

Corresponding Notice