[Dshield] Crypto Question

John Hardin jhardin at impsec.org
Fri Mar 6 16:35:20 GMT 2009


On Thu, 5 Mar 2009, Frank Knobbe wrote:

> I think John's thought was, why not use two different hash algos on the 
> same plaintext. If one or the other fails (or both fail), something is 
> up. Only if both hashes (with known or unknown collision methods) pass, 
> the plaintext is verified.

Exactly correct.

> Obviously that leads to complexity which may carry a little devil in
> itself somewhere. Using a good hash that has a high reliability (SHA-512
> or whatever) would be simpler.

Agreed. It's also possibly double the computational cost. I recognize 
that. To judge the value of this you must also ask how expensive an 
undetectable forgery would be?

I would say a signature on a website cert or non-ephemeral file (e.g. a 
PGP message) would be worth the extra computational cost; for something 
like verifying network traffic, it'd be a lot less likely.

> But it raises an interesting question. We know mathematically how hard
> or weak the known broken hashes are. How would you calculate the
> combined reliability of two different hashes? Is it as simple as adding
> exponents, or does it require a different strength calculation because
> the algorithms are different and which inherently impedes finding a
> single collision that satisfies both algos?
>
> Just curious,

Me too.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Failure to plan ahead on someone else's part does not constitute
   an emergency on my part.                 -- David W. Barts in a.s.r
-----------------------------------------------------------------------
  2 days until Daylight Saving Time begins in U.S. - Spring Forward


More information about the Dshield mailing list