6

After reading the Wikipedia page about SipHash I think it can be used like HMAC-SHA256 in JWT to create and verify API tokens (authenticate client devices).

In JWT the server creates this MAC to sign user identifiers (e.g. a number or email) with a private key which is then sent alongside the identifier with every request (after login).

Furthermore, the official paper states:

Target applications include network traffic authentication

However, I can't find any pages on the web explaining this use case although it is much faster and has been out for a while.

Is HMAC-SHA256 more secure in any way or am I missing anything else? Thank you!

EDIT: SipHash output is typically only 64bit, so I am referring to SipHash double with 128bit like in the JavaScript implementation

Jannis
  • 63
  • 5

2 Answers2

4

The newer, 128-bit output version of SipHash is conjecturally appropriate for this task; i.e., if SipHash is as strong as its authors intend (if!), then yes, you can use it for that task.

An analogous remark can be said of SHA-2, but the main issue here is one of subjective confidence; cryptographers haven't examined SipHash in nearly as much detail as SHA-2, so subjectively, we have fewer reasons to believe it is as strong as it's conjectured to be, compared to HMAC-SHA-2.

So HMAC-SHA-2 is the more prudent option here. I would only consider using SipHash if I'd conclusively shown, based on profiling data, that SHA-2 was a significant performance bottleneck for my application.

Luis Casillas
  • 10,361
  • 2
  • 28
  • 42
2

SipHash only generates 64 bits of output; thus, it is dramatically less secure than SHA-256, SHA-384, or SHA-512. It is also faster, which aids an attacker as well. The first 64 bits is reasonable, but SipHash stops there. See this Crypto.Stackexchange post for more details.

Further, you shouldn't be using a single pass of anything for user authentiation (password hashing); use PBKDF2, BCrypt, SCrypt, or Argon2 with as high an iteration count/work factor as your hardware can afford. See How to securely hash passwords

Anti-weakpasswords
  • 9,850
  • 2
  • 24
  • 52
  • i don't PW hashing (derivation) is what's meant by OP for auth, given the mention of hmac, which seems to point to some kind of nonce+sharedSecret routine. – dandavis Jan 11 '18 at 09:27
  • Yes, I didn't mean key derivation but client authentication (generate a MAC for a user identifier by the server which is then transmitted with every request by the client to prove that he is who he claims to be). – Jannis Jan 11 '18 at 10:19
  • Thanks, I didn't notice that it's 64bit of output generally, but there is also a double version with 128 output, for example in the [JavaScript implementation](https://github.com/jedisct1/siphash-js). Is this one hard to brute force + secure then? – Jannis Jan 11 '18 at 10:24