Re: MD5 collisions found - alternative?

To: debian-security@lists.debian.org
Subject: Re: MD5 collisions found - alternative?
From: Daniel Pittman <daniel@rimspace.net>
Date: Wed, 25 Aug 2004 12:42:20 +1000
Message-id: <[🔎] 877jrogcqb.fsf@enki.rimspace.net>
References: <[🔎] 412B14D7.2080300@deepblue.sk> <[🔎] 412B417D.4060800@securaserv.com> <[🔎] 87pt5gio8x.fsf@enki.rimspace.net> <[🔎] 20040824162024.GA6569@antiochcomputerconsulting.com> <[🔎] 20040824221850.GB12072@hezmatt.org>

On 25 Aug 2004, Matthew Palmer wrote:
> On Tue, Aug 24, 2004 at 12:20:24PM -0400, Phillip Hofmeister wrote:
>> On Tue, 24 Aug 2004 at 10:50:38AM -0400, Daniel Pittman wrote:
>>> Be aware that this sort of technique "multi-encryption" technique can
>>> lead to significant exposures when applied to traditional crypto; it can
>>> produce results that allow a vastly simpler attack on the protected
>>> information.
>>>
>>> I would not put my name to a recommendation about how to make a
>>> cryptographic product or protocol "more secure" unless I had sufficient
>>> background in the area to know the full implications of my recommended
>>> actions.
>>
>> If I understand your postulate correctly:
>>
>> If I, the user, encrypt a message with algorithm X and the cipher text
>> is intercepted by the attacker.  The attacker can make his chances of
>> brute forcing the text BETTER by encrypting my cipher text with algorithm
>> Y.  This simply does not hold up.
>
> For random values of X and Y, you are correct, there is no reason to assume
> that you will get an easier time of it.  However, there are plenty of
> examples where (for instance) applying the same algorithm N times
> does not produce N times the security, or even the same level of security. 
> The same adverse interaction occurs when you mix different algorithms.

[...]

> It's those sorts of tricky interactions (which aren't immediately obvious)
> which I'm sure led Daniel to warn of the dangers of simplistic "security
> upgrades".

Matt is entirely correct in his statements - this is *precisely* the
issue that I am concerned with.

I cannot say that "SHA1(f) xor MD5(f)" is weaker or stronger than either
of those two on their own, because I don't know cryptographic algorithm
design well enough.

It is very hard to design a good cryptographic algorithm, though, and
even harder to build a useful cryptographic system around a good
algorithm.

To quote from memory, unless you happen to be Bruce Schneier you
probably can't design a secure cryptographic system on the back of a
napkin, and you are almost certainly better off not trying. :)

Regards,
        Daniel
-- 
Crying loud, you're crawling on the floor
Just a beautiful baby, You're nothing more
        -- Switchblade Symphony, _Clown_

Reply to:

References:
- MD5 collisions found - alternative?
  - From: Robert Trebula <r0b0@deepblue.sk>
- Re: MD5 collisions found - alternative?
  - From: Sam Vilain <sam@securaserv.com>
- Re: MD5 collisions found - alternative?
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: MD5 collisions found - alternative?
  - From: Phillip Hofmeister <plhofmei@antiochcomputerconsulting.com>
- Re: MD5 collisions found - alternative?
  - From: Matthew Palmer <mpalmer@debian.org>

Prev by Date: Re: MD5 collisions found - alternative?
Next by Date: Re: MD5 collisions found - alternative?
Previous by thread: Re: MD5 collisions found - alternative?
Next by thread: Re: MD5 collisions found - alternative?
Index(es):
- Date
- Thread