How thorough are the hash breaks, anyway?

Trei, Peter ptrei at rsasecurity.com
Thu Aug 26 11:09:49 EDT 2004


[Disclaimer: I've never claimed to be a mathematician, nor even a
cryptographer:my business card says 'cryptoengineer'. I've always 
tried more to understand how to  properly use cryptographic 
primitives than to understand the deep theory of their construction. 
I go to people who know the theory when I have a question, 
and they come to me when they need something designed and 
built correctly and well.]

Looking over the recent work on hash collisions, one
thing that struck me was that they all seem to be 
attacks on known plaintext - the 'plaintexts' which
collided were very close to each other,  varying in 
only a few bits. 

While any weakness is a concern, and I'm not
going to use any of the compromised algorithms
in new systems, this type of break seems to be
of limited utility. 

It allows you (if you're fortunate) to modify a signed
message and have the signature still check out. 
However, if you don't know the original plaintext
it does not seem to allow you construct a second
message with the same hash.

There are many applications where a hash may
be exposed, but the attacker does not have access
to the original plaintext. One example is password
systems, where only the hash of the pw is stored.

Thus, the breaks seem to be of utility in some 
applications, but others remain (for the moment)
secure.

Am I missing something here?

Peter Trei


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list