Propping up SHA-1 (or MD5)
Pablo Abad
pabad at fibertel.com.ar
Fri Mar 25 10:22:59 EST 2005
Ben,
>> I believe the fatal flaw here is not the crypto, but losing the ability
>> to hash a stream without keeping all of it. Both the hashes and HMAC
>> have this sometimes-vital property.
>
>This can be fixed quite easily:
>
>H'(x)=H(H(x || H(x)) || H(x))
I think this construction doesn't provide any additional security. If
someone manages to find x1 and x2 such that H(x1)=H(x2), he will have also
broken H'(X).
If you get h=H(x1)=H(x2) (of course we are talking about hash functions
using the same iterative model as SHA-1), then you would end calculating
H(H(x1 || h) || h) vs H(H(x2 || h) || h), but since both x1 and x2 leave the
internal state of the hash function the same, H(x1 || h) = H(x2 || h) and
hence H'(x1) = H'(x2)
Cheers,
Pablo
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list