RE: SHA-1 broken

To: "Scovetta, Michael V" <Michael.Scovetta@xxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: SHA-1 broken
From: Michael Silk <michaelsilk@xxxxxxxxx>
Date: Fri, 18 Feb 2005 14:30:49 +1100
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=fx3eDfUO+V7J+r+gP1hfqqBe+EtOVEreW9owNlbf1rzDjPuXoHhGY8LTVxx7bNn4BmFGmIUZICEHxTd6+M3bienumeQnDo88LrvTV//kNjydLh8EdlY3aCR1eplnaY15YZ4PjATDIRbmxqJ2/UdY8y5hdSEIgxMtiaJ9I9LV/NU=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Michael Silk <michaelsilk@xxxxxxxxx>

Michael,

 But wouldn't it render a login-based hashing system resistant to the
current hashing problems if it is implemented something like:

 --
 result = hashFunc1( input + hashFunc1(input) + salt )
 //
 // instead of
 //
 result = hashFunc1( input + salt )
 --

 We can see that the input to the functions is the same, so although a
collision could be found within one or the other but it would not give
the correct result unless the hashFunc1( foo ) = hashFunc2( foo )
where foo is the magical input that gives the same result as "bar"
(the initial password).

-- Michael


> -----Original Message-----
> From: Scovetta, Michael V [mailto:Michael.Scovetta@xxxxxx] 
> Sent: Friday, 18 February 2005 8:34 AM
> To: Kent Borg; Gadi Evron
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: SHA-1 broken
> 
> Kent--
> 
> Compositions won't really help very much. Lets say (I'm sure 
> the exact numbers are wrong here) that it takes brute-forcing 
> MD5 takes 2**80, and brute-forcing SHA-1 takes 2**90. And due 
> to recent discoveries, we can push those down to 2**50 and 
> 2**55 respectively. Breaking a composition would still take 
> on the order of 2**55 (the harder of the two)-- you're not 
> going to make it exponentially harder to crack by composing. 
> Doing something a little more slick like interweaving the 
> bits of the two algorithms would make it geometrically 
> harder, but not exponentially.
> You'd really have to get a new algorithm.
> 
> Of course, this is assuming that the actual attack allows one 
> to take some predefined input A, and compute some evil input 
> A' such that Hash(A)=Hash(A'). If the attacks are simply to 
> create colliding input data, then the underlying algorithm is 
> still safe for most applications.
> 
> Of course, I'm not a crypto-expert, so this may all be totally wrong.
> 
> Michael Scovetta
> Computer Associates
> Senior Application Developer
> 
> 
> -----Original Message-----
> From: Kent Borg [mailto:kentborg@xxxxxxxx]
> Sent: Wednesday, February 16, 2005 6:27 PM
> To: Gadi Evron
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: SHA-1 broken
> 
> On Wed, Feb 16, 2005 at 02:56:27PM +0200, Gadi Evron wrote:
> > Now, we've all seen this coming for a while.
> > http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
> > 
> > Where do we go from here?
> 
> I am feeling smug that in a project I am working on I earlier 
> decided our integrity hashes would be a concatenation of MD5 
> and SHA-1, not that that's a fix, but it helps.
> 
> I am also appreciating that hashes are used (this project 
> included) for many different things, not all of which are 
> directly affected by this break.  Yes, this is a bad omen for 
> the longevity of SHA-1 for other uses, so we will keep an eye on it.
> 
> Something I am intrigued about is more sophiticated 
> compositions of, say, SHA-1 and MD5.
> 
> -kb

Follow-Ups:
- Re: SHA-1 broken
  - From: exon
- Re: SHA-1 broken
  - From: Brian May

Prev by Date: BizMail 2.1 Spam Exploit
Next by Date: Re: Dangers of discarding duplicated messages
Previous by thread: RE: SHA-1 broken
Next by thread: Re: SHA-1 broken
Index(es):
- Date
- Thread