How thorough are the hash breaks, anyway?
Trei, Peter
ptrei at rsasecurity.com
Thu Aug 26 11:09:49 EDT 2004
[Disclaimer: I've never claimed to be a mathematician, nor even a
cryptographer:my business card says 'cryptoengineer'. I've always
tried more to understand how to properly use cryptographic
primitives than to understand the deep theory of their construction.
I go to people who know the theory when I have a question,
and they come to me when they need something designed and
built correctly and well.]
Looking over the recent work on hash collisions, one
thing that struck me was that they all seem to be
attacks on known plaintext - the 'plaintexts' which
collided were very close to each other, varying in
only a few bits.
While any weakness is a concern, and I'm not
going to use any of the compromised algorithms
in new systems, this type of break seems to be
of limited utility.
It allows you (if you're fortunate) to modify a signed
message and have the signature still check out.
However, if you don't know the original plaintext
it does not seem to allow you construct a second
message with the same hash.
There are many applications where a hash may
be exposed, but the attacker does not have access
to the original plaintext. One example is password
systems, where only the hash of the pw is stored.
Thus, the breaks seem to be of utility in some
applications, but others remain (for the moment)
secure.
Am I missing something here?
Peter Trei
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list