Combining Hashes

From: Kent Borg (kentborg_at_borg.org)
Date: 02/18/05

Next message: David Nichols: "Re: Phishing hole found in IE and OE"

Previous message: Greg Merideth: "Re: Phishing hole found in IE and OE"
Next in thread: unmanarc: "Re: Combining Hashes"
Reply: unmanarc: "Re: Combining Hashes"
Reply: Elliott Bäck: "Re: [lists] Combining Hashes"
Reply: Felix Cuello: "Re: Combining Hashes"
Reply: exon: "Re: Combining Hashes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 18 Feb 2005 10:24:19 -0500
To: bugtraq@securityfocus.com

Concatenating two different hashes, for example SHA-1 and MD5,
apparently does not add as much security as one might hope.

What about more complicated compositions? For example, a reader
comment posted on Bruce Schneier's blog
(http://www.schneier.com/blog/archives/2005/02/sha1_broken.html)
suggests the following:

d1=SHA-1(data)
d2=MD5(data)
d3=SHA-1(d1+data+d2)

The final digest would be d1+d2+d3

(where "+" is concatenation)

I admit I don't know why this might be significantly better than
d1+d2, I was hoping someone here would.

-kb

Next message: David Nichols: "Re: Phishing hole found in IE and OE"

Previous message: Greg Merideth: "Re: Phishing hole found in IE and OE"
Next in thread: unmanarc: "Re: Combining Hashes"
Reply: unmanarc: "Re: Combining Hashes"
Reply: Elliott Bäck: "Re: [lists] Combining Hashes"
Reply: Felix Cuello: "Re: Combining Hashes"
Reply: exon: "Re: Combining Hashes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

www.derkeiler.com > Mailing-Lists > securityfocus > bugtraq > 2005-02