Security Basics mailing list archives
Re: MD5-Hash of a SHA-1-Hash unsecure?
From: Andre Pawlowski <sqall () h4des org>
Date: Sat, 06 Dec 2008 13:08:57 +0100
Well, I did not say it clear enough. David Gillett wrote:
"Less secure" than what? I can't tell what the other side of the comparison is supposed to be.
Is it less secure to make a md5-hash of a sha-1-hash for the IV than using the sha-1-hash for the IV? I do not know if this has an effect on the entropy of the sha-1-hash or whatever. Is it easier to "crack" this hash? This was my original thought. I'm sorry that I asked with so unspecific informations. jason.gerfen () gmail com wrote:
So your just using the md5 hash as a unique IV? It might be a bit more secure to use something like rand() for your IV.
Well, I use the hash because I need the IV for the decryption (or am I wrong?) and I did not store this IV. So, when the user entered the password for the decryption and this is wrong, the IV will also be wrong and the file is useless after the decryption. jason.gerfen () gmail com wrote:
If you were really going to do that correctly you would not transmit the sha1 hash at all. You could use that sha1 hash as a private key for the user (keep it stored on their machine as it is more secure then sending it over the wire)
I transfer the sha-1-hash over a ssl channel so it should not be easy for a third person to listen on this transmission and get the sha-1-hash. Thanks guys. -- Andre Pawlowski ------------------------------------------------------------------- Regierung ist nicht der Ausdruck des Volkswillens, sondern der Ausdruck dessen, was ein Volk ertrÃĪgt. -Kurt Tucholsky
Current thread:
- MD5-Hash of a SHA-1-Hash unsecure? Andre Pawlowski (Dec 05)
- RE: MD5-Hash of a SHA-1-Hash unsecure? David Gillett (Dec 08)
- Re: MD5-Hash of a SHA-1-Hash unsecure? Andre Pawlowski (Dec 08)
- Re: MD5-Hash of a SHA-1-Hash unsecure? Alexander Klimov (Dec 08)
- <Possible follow-ups>
- Re: MD5-Hash of a SHA-1-Hash unsecure? jason . gerfen (Dec 05)
- Re: MD5-Hash of a SHA-1-Hash unsecure? Tom Ritter (Dec 08)
- Re: Re: MD5-Hash of a SHA-1-Hash unsecure? asdfs (Dec 09)
- RE: MD5-Hash of a SHA-1-Hash unsecure? David Gillett (Dec 08)