Propping up SHA-1 (or MD5)

Ben Laurie ben at
Tue Mar 22 04:50:26 EST 2005

Dan Kaminsky wrote:
> Ben,
>     x can equal either test vector released by Wang, and H(x) will be
> identical.  With H(x) identical, the rest of the HMAC stays identical too. 

This does not appear to be correct - in my construction, i.e. without 
padding, then the fact that x and x' differ means that the first blocks 
are different, but not the colliding kind of different (since the first 
blocks will be 20 bytes of H(x) and blocksize-20 bytes of x or x' [or, 
to be pedantic, the first 20 bytes of the next block will be 
different]). Even if padding were included, x and x' would still not 
collide, because the chaining values would not be as needed at the start 
of the second block.

>     As a couple people pointed out, it's OK that HMAC is "vulnerable" to
> the Wang attack, since in order to execute the attack the key is
> required (and like AES, if the key is compromised, all bets are off). 
> But you're not using HMAC as a MAC; you're using it to prop up a broken
> hash. 
>     Regarding the "Random" appendage, people don't seem to realize how
> important syncronized initial states are to many hashing algorithms. 
> One of the major uses of a hashing algorithm is to act as an
> *exchangable* handle to data, in other words, you and I can both hash
> our respective datasets and see if they're identical.  If we're each
> using different initial states, that process fails utterly.

Obviously. But I don't understand your point.




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list