[magicalhippo]

> SHA-2 is still the gold standard

Truncated SHA-2, eg SHA-512/256, has some resistance against length extension attacks[1] while non-truncated has none, so wouldn't that be the gold standard?

edit: Thinking a bit more, I guess there are a lot of interesting cases which are not prone to length extension attacks where the full SHA-512 would be better.

[1]: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functi...

[woodruffw]

I was referring to the full family! SHA-512/256 is indeed a good choice, and should be (nearly) identical in terms of performance characteristics.

[hoppla]

Looked at a 6 byte hash today. Modifying the hash or the data attached to it made the API respond with an error saying untrusted input. The data is an encrypted blob and the hash protects it from being tampered with.

My guess is that it’s a truncated md5(secret + data) or hmac. Either way, with a sufficient long a secret, I won’t be able to guess it (offline), and because of the truncation, length extensions also out of the question.

With only 48 bits of entropy, I can’t shake the feeling that there are practical attacks I have not considered.