[erkl]

First off, thanks for the reply.

I have to say it feels a bit weird to deduct points (so to speak) from a highly regarded cryptographic hash function because it doesn't outright prevent one particular, broken MAC generation scheme, but I guess the argument has some merit.

While I think it's harmless to say that SHA-512/256 is stronger than SHA-256 (as they otherwise provide the same theoretical level of security), I still think it's wrong to claim that SHA-512/256 is also stronger than SHA-512, which has a vastly greater theoretical security margin.

Just use a MAC algorithm that isn't terrible.

[tptacek]

Susceptibility to length extension would also have disqualified SHA2-512 from SHA-3, where that property was a requirement, so it seems like the cryptographic community has come to conclusion about this.

The "security margin" of a full SHA2-512 digest, over its truncated SHA2-512/256 alternative, is not meaningful in practice.

If you want to use full-width SHA2-512, go ahead. SHA2-512/256 is safer.

[alextgordon]

Devil's advocate: 10 years from now if SHA-3 is dominant and HMAC has faded into obscurity, how hard will it be to get programmers to understand the difference between hash function and MAC? Keeping in mind that they barely understand today.