macaroon_hash2 has unexpected implementation

Question

macaroon_hash2 has unexpected implementation

Closed this issue 9 years ago · 3 comments

To hash two items together with a key, I would expect the algorithm
to be hmac(key, item1 + item2). This is the algorithm used in the
macaroons paper in addCaveatHelper (MAC(sig, vId + cId)).

Instead, macaroon_hash2 uses hmac(key, hmac(key, item1) + hmac(key, item2)).

This is unexpected, and probably less efficient than the simpler approach.

Answer 1 · 2015-01-09T15:06:22.000Z

I agree that it's somewhat confusing. I wanted to avoid ambiguity in the implementation of vid + cid. For example, is "Hello " + "world" the same as "Hello" + " world" or "Hell" + " o world".

Looking back on it, I could have length-prefixed each string (I don't see an attack here), but the double hmac is for sure a solution as well. I'm sure that I considered that possibility, but cannot remember why it was ruled out in favor of double hmac.

Answer 2 · 2015-01-09T17:49:09.000Z

Interesting. I wouldn't have thought there was an attack there as
the first argument to keyedHash2 is always a known length.

Answer 3 · 2015-02-18T15:31:46.000Z

@rogpeppe I wanted to minimize the assumptions made about other parts of the code.