> -----Original Message-----
> From: exon [mailto:exon (at) home (dot) se [email concealed]]
> Sent: Saturday, 19 February 2005 8:58 PM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: SHA-1 broken
>
> Michael Silk wrote:
> > Michael,
> >
> > But wouldn't it render a login-based hashing system
> resistant to the
> > current hashing problems if it is implemented something like:
> >
> > --
> > result = hashFunc1( input + hashFunc2(input) + salt )
> > //
> > // instead of
> > //
> > result = hashFunc1( input + salt )
> > --
> >
>
> I assume you mean hashFUnc2 inside the parentheses
Yes.
> No it won't, because if hashFunc2 has collisions the
> resulting output will collide in hashFunc1 as well.
How?
The attackers input is "input". He can only choose to enter a
collision for "hashFunc1" _OR_ "hashFunc2". He can't enter a
collision for both, but that is what he needs to pass this
function with a different string from the original.
> The
> collision resistance in this case is somewhat less than that
> of hashFunc2 (because two different outputs of hashFunc2
> might collide in hashFunc1,
Sure, hashFunc2 might give collisions, but it doesn't mean anything
unless _THOSE_ collisions are collisions in hashFunc1 that lead to the
original hash.
> but a
> strong hash isn't supposed to depend on the algorithm not being known.
> -----Original Message-----
> From: exon [mailto:exon (at) home (dot) se [email concealed]]
> Sent: Saturday, 19 February 2005 8:58 PM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: SHA-1 broken
>
> Michael Silk wrote:
> > Michael,
> >
> > But wouldn't it render a login-based hashing system
> resistant to the
> > current hashing problems if it is implemented something like:
> >
> > --
> > result = hashFunc1( input + hashFunc2(input) + salt )
> > //
> > // instead of
> > //
> > result = hashFunc1( input + salt )
> > --
> >
>
> I assume you mean hashFUnc2 inside the parentheses
Yes.
> No it won't, because if hashFunc2 has collisions the
> resulting output will collide in hashFunc1 as well.
How?
The attackers input is "input". He can only choose to enter a
collision for "hashFunc1" _OR_ "hashFunc2". He can't enter a
collision for both, but that is what he needs to pass this
function with a different string from the original.
> The
> collision resistance in this case is somewhat less than that
> of hashFunc2 (because two different outputs of hashFunc2
> might collide in hashFunc1,
Sure, hashFunc2 might give collisions, but it doesn't mean anything
unless _THOSE_ collisions are collisions in hashFunc1 that lead to the
original hash.
> but a
> strong hash isn't supposed to depend on the algorithm not being known.
Obviously.
-- Michael
[ reply ]