lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050218102419.F7251@borg.org>
Date: Fri, 18 Feb 2005 10:24:19 -0500
From: Kent Borg <kentborg@...g.org>
To: bugtraq@...urityfocus.com
Subject: Combining Hashes


Concatenating two different hashes, for example SHA-1 and MD5,
apparently does not add as much security as one might hope.

What about more complicated compositions?  For example, a reader
comment posted on Bruce Schneier's blog
(http://www.schneier.com/blog/archives/2005/02/sha1_broken.html)
suggests the following:

d1=SHA-1(data)
d2=MD5(data)
d3=SHA-1(d1+data+d2)

The final digest would be d1+d2+d3

(where "+" is concatenation)


I admit I don't know why this might be significantly better than
d1+d2, I was hoping someone here would.


-kb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ