[saag] Re: Propping up SHA-1 (or MD5)
Ben Laurie
ben at algroup.co.uk
Thu Mar 24 13:19:36 EST 2005
Blumenthal, Uri wrote:
> Ernie Brickell suggested the following construct:
>
> H'(x) = H( H(x) || H(0 || x) )
>
> Like him, I see no reason in going (H(x) || H(0||x) || ... || H(n||x)).
Sorry, I got my parentheses wrong. I meant...
H'(x)=H(H(x || H(0 || x)) || H(0 || x))
or:
H'(x)=H(H(x || H(0 || x)) || H(1 || x))
the former being almost the same construction as suggested, except that
H(0 || x) is appended to the first inner hash. I used this construction
because nested keyed hashes have provable security properties (which is
why HMAC is made the way it is). The second form is the one required to
get those properties, I should point out.
I will confess that I have punted on whether those properties are
actually useful.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list