[Dshield] Crypto Question

John Hardin jhardin at impsec.org
Thu Mar 5 01:10:04 GMT 2009


On Wed, 4 Mar 2009, Valdis.Kletnieks at vt.edu wrote:

> On Wed, 04 Mar 2009 14:12:06 PST, John Hardin said:
>> What's the likelihood that the same collision plaintext would generate the
>> same crypto hash using several different algorithms?
>
> A man with one watch always knows what time it is. A man with 2 watches 
> is never sure.

How is that an even vaguely relevant analogy?

> In general, either that first hash is believed secure, or it isn't.

Believing (absent mathematical proof) that a hash is secure does not mean 
there are no flaws in it.

MD5 was believed secure until a collision was proven.

SHA1 was believed secure until a collision was proven.

In both cases, that belief has caused a lot of unnecessary expense and 
(likely) silent security failures.

> If it is secure, you don't need a second hash. If you're worried enough
> about the first hash that using a second one is starting to make sense, 
> you probably shouldn't be using the first one at all.
>
> Or more concretely - if you're computing a SHA-256 hash because you 
> don't trust the MD5 hash, maybe it's time to just *retire* the MD5 
> entirely.

And what happens when a collision is found in SHA256?

My point is *don't assume the algorithm is flawless*. If you design your 
protocols with the assumption that the algorithms are imperfect, then your 
protocol is robust when the flaws are actually found.

If certificate signing, and PGP et. al., and other protocols had included 
provision for signing with two hashes using different algorithms, then we 
would not be seeing attacks like this:

http://www.win.tue.nl/hashclash/rogue-ca/

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Failure to plan ahead on someone else's part does not constitute
   an emergency on my part.                 -- David W. Barts in a.s.r
-----------------------------------------------------------------------
  4 days until Daylight Saving Time begins in U.S. - Spring Forward


More information about the Dshield mailing list