slight irritation using digest (from the ports)



Hello Folks!

For a special application I needed to create digests (or hashes) using
the whirlpool algorithem. It was kind of hard to find something that
actually did that. But I found digest in the ports tree - ok, with some
help from someone who seemed to know what to look for. :-)

What irritates me is the Wikipedia-page on Whirlpool:
http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29

There is a chance that the author of the article messed up somehow but
when you are handling sensitive stuff, chances aren't really the things
you want to take.

My irritations in detail:

My zero-hash is the same as the example shown for whirlpool
(whirlpool-2). That's a good sign so far.

My hash for "The quick brown fox jumps over the lazy dog" is:
72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae
059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873
And that is nowhere near the examples shown in the article. The same
basic thing applies for the change of "dog" to "eog". My hashes are
completely different - as in "no chance the hashes were transfered by
typing and a typo snuck in". I've tried changing the first letter to a
small 't' in case the author didn't hash the sentence with a capital,
but that didn't resolve the problem, nor did adding a full stop. I even
added the quotes to the string that whirlpool digested - didn't change
anything. I know I could try changing the input until kingdom come
without finding the error, so I left it at that.

I could however verify (using a few tests, if you want to call that
"veryfying") that the results were the same on both i386 and sparc64
plattforms - but since the port was taken from NetBSD, there aren't any
surprises in that.

Just to make things a little more complex, I encoded "Telegraph Road"
off one of my Dire Straits CDs to mp3, hashed that with digest and
compared the hash to the result a friend of mine got with Jacksum[1] on a
Windows box. These were the same and Jacksum says the algorithm is
WHIRLPOOL-2 (which is usually named without the number).

This may be only a small irritation but since we are talking about a
security issue, I don't want to dismiss it too easily either. Are there
any opinions to this out there?

Regards
Chris

[1] http://www.jonelo.de/java/jacksum/
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: slight irritation using digest (from the ports)
    ... For a special application I needed to create digests (or hashes) using ... What irritates me is the Wikipedia-page on Whirlpool: ... completely different - as in "no chance the hashes were transfered by ...
    (FreeBSD-Security)
  • Re: Making a weak Hash stronger until a fix comes along -- concatenation of hash functions...
    ... > The code relating to using the hashes would have to be rewritten, ... Better idea, use Whirlpool or SHA-512, or SHA-256, or any other secure one, ...
    (sci.crypt)
  • Re: DER encodings
    ... > Anyways I can't seem to find the DER encodings for the following hashes. ... > - WHIRLPOOL ... > I'd apprecite it if anyone could hook me up with them. ...
    (sci.crypt)
  • Re: Added hashes.
    ... > SHA512 will eventully fall, because the history of hashes says so. ... You're expressing a belief that at least one of Whirlpool and SHA512 ... you're trying to operate by theoretical proofs of security, ...
    (sci.crypt)