Blake2 parameters cannot be used without a key

RustCrypto / hashes

Collection of cryptographic hash functions written in pure Rust

1.81k stars 245 forks source link

Blake2 parameters cannot be used without a key #482

Open threema-lenny opened 1 year ago

threema-lenny commented 1 year ago

The personal and salt parameters for Blake2 can only be used in combination with a key because the non-MAC variants don't expose the parameters as input.

I've also tried using the MAC variant with an empty key, but it appears an initial Blake2 round is done with an all-zero key in that case.

Would it be acceptable if we change the signature of the Mac variant so that (either):

key is Option, or
a key of length 0 does not do the initial Blake2 round?

Or would it be considered a strict violation to use a MAC without a key?

edward-shen commented 11 months ago

Related: #509

I don't think it's correct to even construct a zero-key-length blake2 MAC variant, and right now I think blake 0.10 permits this in a way that leads to incorrect blake2 construction.

edward-shen commented 7 months ago

Closing the loop, #510 was merged to deny constructing zero-length keys for blake2Mac variants.

threema-lenny commented 7 months ago

Thanks for taking care of the empty key construction bit! There's still the use case of using Blake2 without a key but with personal and salt and that's the only reason why I currently have to maintain a fork. But at least #510 makes it more clear what the proposed solution would have to be which is making key an Option.