Re: Combining Hashes

• Previous message: kaosone+[ONE]+: "Re: Possible phpBB <=2.0.11 bug or sql injection?"
• In reply to: Kent Borg: "Combining Hashes"
• Next in thread: Ivan Krstic: "Re: Combining Hashes"
• Reply: Ivan Krstic: "Re: Combining Hashes"
• Reply: Frank Knobbe: "Re: Combining Hashes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Sat, 19 Feb 2005 00:54:56 -0400

El Vie 18 Feb 2005 11:24, Kent Borg escribió:
> Concatenating two different hashes, for example SHA-1 and MD5,
> apparently does not add as much security as one might hope.
>
> What about more complicated compositions? For example, a reader
> comment posted on Bruce Schneier's blog
> (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html)
> suggests the following:
>
> d1=SHA-1(data)
> d2=MD5(data)
> d3=SHA-1(d1+data+d2)
>
> The final digest would be d1+d2+d3
>
> (where "+" is concatenation)
>
>
> I admit I don't know why this might be significantly better than
> d1+d2, I was hoping someone here would.
>
>
> -kb

Having d1+d2 may leave some useful information in order to obtain a collition
more fastest because we can intersect these functions... SHA-1(d1+data+d2) is
relative better than d1+d2. I dont think that is really secure... d2 or d1
may leave some useful information. we need to study and probe that.

I dont recomend something as: HASH(HASH(data)+data) until a research of
propietries of that where investigated and mathematical proved. The better
method (i think) is: HASH(HASH(data)), because adds two layer... and have the
same or more security than HASH(data). it's simple... if you use HASH(data),
you can obtain HASH(HASH(data)), and crack from HASH(HASH(data)) (if 2-ble
round hash is more weakness).

A simple probe of a very basic crypto-system that isn't good idea have two
rounds are: XOR, the second round leave the original text. With one way
functions may happen something similar.

• application/pgp-signature attachment: stored

• Previous message: kaosone+[ONE]+: "Re: Possible phpBB <=2.0.11 bug or sql injection?"
• In reply to: Kent Borg: "Combining Hashes"
• Next in thread: Ivan Krstic: "Re: Combining Hashes"
• Reply: Ivan Krstic: "Re: Combining Hashes"
• Reply: Frank Knobbe: "Re: Combining Hashes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Simulate mouse movement? ... The buzzing toothbrush would drive us all crazy! ... >If yours is anything like Citrix's implementation of this security ... You may be able to get round it ... >> The screensaver is disabled and I've set the screen to never go blank ... (microsoft.public.vb.general.discussion) Re: a spam question ... at Independent Security Evaluators, ... H/Crackers don't avoid Macs because they're secure. ... Hit Windows ... the seasons they go round and round etc. ... (misc.writing) RE: TCP port 5000 syn increasing ... > IPs hit those three ports in the last 24 hours"? ... IP addresses) interspersed with an occasional probe on 5000 from the *same* ... Adjunct Information Security Officer ... the comprehensive security solution that combines six ... (Incidents) Re: Giulianis "much less" ... round. ... If he had said "it won't cost hundreds, much less millions", ... responsible for the safety and security of millions of people, ... (alt.usage.english) Re: Am I more vulnerable using broadband? ... > given above where an attacker would probe your system to find a weakness and ... > and looking for patterns of vulnerability (like you going to work the same ... > exposure to this risk. ... If you pay proper attention to security, ... (comp.security.misc)