[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MD5 collisions found - alternative?

On Wed, Aug 25, 2004 at 09:24:01AM -0400, Phillip Hofmeister wrote:
> On Tue, 24 Aug 2004 at 06:18:50PM -0400, Matthew Palmer wrote:
> > In the case of hashing algorithms, there's one 'key' involved -- the
> > plaintext -- and for password security, you don't need to retrieve the key
> > necessarily, just an equivalent one.  There's no guarantee that XORing MD5
> > and SHA-1 isn't going to produce something that is quite simple to generate
> > equivalent plaintext for, by, for example, making it mathematically
> > impossible for one bit in the resultant hash value to be a certain value
> > (because MD5 and SHA-1 always set the same bit to the same value given the
> > same input).  That cuts your hash search space in half right there.
> I agree.  There is value in maintaining two completely different data
> points by hashing the item with two functions though (but not XORing the
> result together).  For example: EVEN IF hash1(x) == hash1(y), it is
> HIGHLY unlikely hash2(x) == hash2(y).  Keeping a record of both hashes
> on hand provides value and strengthens your certainty of integrity on
> very large orders of magnitude.

Indeed.  Hence the crawling horror that is 'HMAC'...

Holding multiple hashes is quite useful for avoiding collisions, and can
help even if one hash is weak (so equivalent plaintext is easily found), but
it can be tricky if one hash is found to be dangerously weak...

- Matt

Attachment: signature.asc
Description: Digital signature

Reply to: