Y
Hacker News
new
|
ask
|
show
|
jobs
by
staticassertion
1786 days ago
> You can't just do SHA256(key + message) to generate a safe MAC.
Can you explain this?
3 comments
dagenix
1786 days ago
A Sha256 hash is just a dump of the internal state of the function. If you know the hash, you can keep running the hash function for more data and calculate a new hash for the original data with new data appended.
link
maqp
1786 days ago
What @dagenix said. See e.g. Thomas Pornin's answer here
https://crypto.stackexchange.com/a/3979
for more details
link
stouset
1786 days ago
If you have the output
h = SHA-256(k || m1)
you can easily compute a function `F(h, m2)` such that
SHA-256(k || m1 || m2) = F(h, m2)
allowing you to forge a verifier for `m1 || m2` under `k` for any `m2` you wish without actually knowing `k`.
link