Update to using MD5 and SHA-1

January 11, 2008 – 3:22 pm

This is a post following up from a previous post, “Using MD5 and SHA-1 Separately“. I did some more research, listened to responses, and I found some related stuff on the internet as well.

I found a post on another blog which contained some relevant ideas: http://hype-free.blogspot.com/2008/01/faster-md5-collisions.html

This statement would be correct (in my humble opinion) only if the given hashes have the same algorithmic background (for example the MD and SHA family of hashes). However, if you use two hashes which are from two different families (for example one from the SHA-2 family - SHA-224, SHA-256, etc - and WHIRPOOL) odds are that if an attack if found against one, the collisions it generates are not effective against the other and vice-versa.

I guess I might have been wrong about collisions with MD5 and SHA-1. I didn’t know MD5 and SHA-1 had the same algorithmic background. But as explained in the article, using a different algorithm combination would work fine. It just depends on what you use to get two (or more) hashes.

I also got some responses by some smarter people over at Dev Network. I just want to say first that I’m not a security expert, and I didn’t do much research on the original post.

Here is what they posted:

No, it’s not “effective against rainbow tables“, RTs are just a way to do reverse lookups on hashes. If anything, having two hashes instead of one, would help the attacker, as it increases the probability that the hash in question will be findable in one of the RTs. Unless the two hashes are salted that is, in which case we’re back to square one with no added security against RTs (in comparison with using a single salted hash).

As for the idea - it’s not new (apparently the OP hasn’t spent any significant time in research), and only has limited merit against collision attacks. The combined collision resistance is not the sum of resistances of the different hash functions (due to the implementation details of most modern hash functions, which I’m barely familiar with, just quoting here), but it’s still somewhat useful if one of the functions gets too broken, the combined collision resistance will still be no less than the collision resistance of the remaining function. This is why they still continue to use MD5 + SHA1 in signing some GNU/Linux distros.

When dealing with login credentials, we do not care about the collision properties of the hash functions, but of their preimage-attack resistance (i.e. one-way-ness). As such, the OP has been solving the wrong problem. I already spoke about keeping two hashes. Now, if we want to increase preimage-resistance, a better theoretical thing is to use a single function with better resistance (say SHA256). A better practical thing is to use SHA256 because there are no (or rarer “less”, haven’t checked really) public RT services against it. And don’t forget a good salting.

I hope you understand that :)

  1. 3 Responses to “Update to using MD5 and SHA-1”

  2. Do you know much about salting? I’ve heard that a dynamic salt is the most secure way to encrypt data.

    By foxumon on Feb 7, 2008

  3. Haha, yes, of course I know about salting, and of course I use it.
    I’m not sure about it being the most secure way to encrypt data though. There’s probably more to it :)

    By Andy on Feb 7, 2008

  4. Well, dynamic salting supposedly stores the salt within the encrypted data - I’m not sure about all the specifics but from what I’ve heard it’s the best way to encrypt.

    Although I’m really no expert~

    I’m just wondering if you’ve heard of it/what your feelings are on it =3

    By foxumon on Feb 8, 2008

Post a Comment

Persistent Browser-Based Games Blog is proudly powered by WordPress Entries (RSS) and Comments (RSS). Designed by Bob