[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MD5 collisions found - alternative?



On Tue, 24 Aug 2004 at 06:18:50PM -0400, Matthew Palmer wrote:
> > If I understand your postulate correctly:
> > 
> > If I, the user, encrypt a message with algorithm X and the cipher text
> > is intercepted by the attacker.  The attacker can make his chances of
> > brute forcing the text BETTER by encrypting my cipher text with algorithm
> > Y.  This simply does not hold up.
> 
<snip>

 
> However, the weakness typically occurs when the same (or otherwise
> equivalent or transformed) key is used for both algorithms.  You don't so
> much brute-force the text as the key in most attacks, and application of the
> same (or equivalent) key multiple times often has the effect of weakening
> the key's "secretness".  This often occurs by being able to analyse the
> resultant message and cutting out large swathes of keyspace to search based
> on the properties of the ciphertext.

Ahh...now we are talking apples to apples.  Yes, the same key applied
over different algorithms could create problems and provide easier
crypt-analysis.  I was under the impression we were talking about taking
something and encrypting it with two different keys and two different
algorithms.

> So an attacker applying another algorithm after the fact, not knowing the
> original key used (if he did, why would he need to break the ciphertext the
> hard way?) is unlikely to make it any easier on himself.
> 
> In the case of hashing algorithms, there's one 'key' involved -- the
> plaintext -- and for password security, you don't need to retrieve the key
> necessarily, just an equivalent one.  There's no guarantee that XORing MD5
> and SHA-1 isn't going to produce something that is quite simple to generate
> equivalent plaintext for, by, for example, making it mathematically
> impossible for one bit in the resultant hash value to be a certain value
> (because MD5 and SHA-1 always set the same bit to the same value given the
> same input).  That cuts your hash search space in half right there.

I agree.  There is value in maintaining two completely different data
points by hashing the item with two functions though (but not XORing the
result together).  For example: EVEN IF hash1(x) == hash1(y), it is
HIGHLY unlikely hash2(x) == hash2(y).  Keeping a record of both hashes
on hand provides value and strengthens your certainty of integrity on
very large orders of magnitude.

-- 
Phillip Hofmeister

Attachment: pgpkva5WALC5W.pgp
Description: PGP signature


Reply to: