On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> >It's also not clear to me why the HMAC, vs just SHA256(key|cipher-type|mesg). But that's probably just my crypto ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.
This property does technically not apply here, as the output of the hash is kept secret, and the possible messages are constants (which are presumably chosen in such a way that one is never an extension of another).
However, this is a good example of why you can't generically use a hash function in places where you want a MAC (aka "a hash with a shared secret"). Furthermore, if you already have a hash function anyway, HMAC is very easy construct on top of it.
--
Pieter