Slashdot Mirror

← Back to Stories (view on slashdot.org)

SHA-1 Collisions for Meaningful Messages

Posted by ryuzaki0 on from the well-this-isn't-very-helpful dept.

mrogers writes "Following on the heels of last year's collision search attack against SHA-1, researchers at the Crypto 2006 conference have announced a new attack that allows the attacker to choose part of the colliding messages. "Using the new method, it is possible, for example, to produce two HTML documents with a long nonsense part after the closing </html> tag, which, despite slight differences in the HTML part, thanks to the adapted appendage have the same hash value." A similar attack against MD5 was announced last year."

2 of 128 comments (clear)

  1. How about this combination: by Name+Anonymous · · Score: 4, Interesting

    Provide the following 3 pieces of data:

    1) Message/file length
    2) SHA1 hash
    3) MD5 checksum or some other hash/checksum that's calculated way differently from SHA1.

    Providing the length means that the person trying to change the data needs to keep it the same length which makes it more difficult.

    Using 2 different hashing/checksumming methods means they have to be able to match both of them in order to be able to switch the data.

    The more restrictrictsion we toss on the data, the harder it is to manipulate. I do think that using more than 2 or 3 hashing/checksumming methods would be overkill however.

  2. Re:This is a big deal by Ckwop · · Score: 4, Interesting
    Whirlpool is a good choice these days. It's longer than most of the hashes out there, but I don't believe there have been any attacks yet demonstrated against it. For those pythoners out there I wrote a quick wrapper for it that should get you started. Excuse any site errors and just hit refresh

    Seconded. Whirpool uses similiar mathematics to AES so an attack that breaks Whirpool is likely (although not certain by any stretch of the imagination) to also break AES.

    I think much like it is harder to design a cipher that resists attack when you use an LFSR as your base primitive it is hard to design a hash that is secure that uses an Unbalanced Fiestel Network (UFN).

    This is why I do not advocate moving to the higher SHAs. I believe that some weakness will be discovered and it will be found the UFN made it worse.

    If you're going to use AES, you've already thrown all your eggs in the Wide-trail design basket. If you're going to do that for the cipher, you might aswell do the same for the hash too.

    In fact, in most cases you will use the hash has part of an authentication primitive anyway. In this case, there's a good argument for dumping a new hash and using an encrypt-authenticate mode of operation instead of something like HMAC. That way, you reduce the number of assumptions which have to be true for the system to be secure, which can only be a good thing.

    In short, if you need to authenticate use your favourite encrypt-authenticate mode. If you need a hash for some other purpose, use Whirlpool.

    Simon