Re: Combining Hashes

To: Aaron Mizrachi <aaron@xxxxxxxxxxxxxxxxxx>
Subject: Re: Combining Hashes
From: Frank Knobbe <frank@xxxxxxxxx>
Date: Sun, 20 Feb 2005 11:30:05 -0600
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200502190055.05271.aaron@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050218102419.F7251@xxxxxxxx> <200502190055.05271.aaron@xxxxxxxxxxxxxxxxxx>

On Sat, 2005-02-19 at 00:54 -0400, Aaron Mizrachi wrote:
> [...] The better 
> method (i think) is: HASH(HASH(data)), because adds two layer... and have the 
> same or more security than HASH(data). 

That's not an improvement. If you can fiddle data so that the inner hash
has the same value as before the fiddling, the outer hash remains the
same as well -- doesn't give you anything except a false sense of
security. Kent's idea was better in that you would have to find common
collisions in both algorithms in order to keep both hashes. 

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- Combining Hashes
  - From: Kent Borg
- Re: Combining Hashes
  - From: unmanarc

Prev by Date: [FLSA-2005:1944] GNOME VFS updates address extfs vulnerability
Next by Date: RE: SHA-1 broken
Previous by thread: Re: Combining Hashes
Next by thread: Re: [lists] Combining Hashes
Index(es):
- Date
- Thread