Propping up SHA-1 (or MD5)
Ben Laurie
ben at algroup.co.uk
Tue Mar 22 11:51:12 EST 2005
Barney Wolff wrote:
> On Mon, Mar 21, 2005 at 11:56:44AM +0000, Ben Laurie wrote:
>
>>Musing on these points, I wondered about the construction:
>>
>>H'(x)=H(H(x) || H(H(x) || x))
>>
>>which doesn't allow an attacker any choice, doesn't change APIs and
>>doesn't change the length of the hash. Does this have any merit? Note
>>that this is essentially an HMAC where the key is H(x). I omitted the
>>padding because it seems to me that this actually makes HMAC weaker
>>against the current attacks.
>
>
> I believe the fatal flaw here is not the crypto, but losing the ability
> to hash a stream without keeping all of it. Both the hashes and HMAC
> have this sometimes-vital property.
This can be fixed quite easily:
H'(x)=H(H(x || H(x)) || H(x))
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list