[17129] in cryptography@c2.net mail archive
Re: Propping up SHA-1 (or MD5)
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Mar 25 09:50:42 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 22 Mar 2005 16:51:12 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Barney Wolff <barney@databus.com>
Cc: Cryptography <cryptography@metzdowd.com>, saag@mit.edu
In-Reply-To: <20050321212642.GA95604@pit.databus.com>
Barney Wolff wrote:
> On Mon, Mar 21, 2005 at 11:56:44AM +0000, Ben Laurie wrote:
>
>>Musing on these points, I wondered about the construction:
>>
>>H'(x)=H(H(x) || H(H(x) || x))
>>
>>which doesn't allow an attacker any choice, doesn't change APIs and
>>doesn't change the length of the hash. Does this have any merit? Note
>>that this is essentially an HMAC where the key is H(x). I omitted the
>>padding because it seems to me that this actually makes HMAC weaker
>>against the current attacks.
>
>
> I believe the fatal flaw here is not the crypto, but losing the ability
> to hash a stream without keeping all of it. Both the hashes and HMAC
> have this sometimes-vital property.
This can be fixed quite easily:
H'(x)=H(H(x || H(x)) || H(x))
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
