[367] in cryptography@c2.net mail archive
Re: Q: security of 2-barreled hashing
daemon@ATHENA.MIT.EDU (Hal Finney)
Mon Mar 17 12:51:17 1997
Date: Mon, 17 Mar 1997 09:24:02 -0800 (PST)
From: Hal Finney <hal@rain.org>
To: coderpunks@toad.com, cryptography@c2.net
From: "Lawrence C. Stewart" <stewart@openmarket.com>
> Suppose I have a message m and the matching valid signature H(M)
> = (SHA(m), CRC(m)). The message is transmitted as (m,H(m)).
I'm sorry, I still don't follow. H(M) is not a signature. It is a
hash. We calculate a signature on the hash (typically) - that is
why we want to find two hashes that are the same. We can't calculate
a signature for an arbitrary message but we can easily calculate a
hash for one. If we can find two hashes which match, the signature
on one will apply to the other. That is the attack I thought we
were talking about.
> By virtue of cleverness, I have located a different message m' such
> that SHA(m') = SHA(m), but alas, CRC(m)!= CRC(m').
>
> I create a new hash, H(m') = (SHA(m), CRC(m')), and attach it to
> my new message m', giving (m',H(m')) which is accepted by
> the recipient.
You seem to be assuming that the recipient will accept any message
which is followed by a valid hash. This doesn't make sense. You
can calculate a hash on any message. Appending a hash to a message
is meaningless, unless there is some other operation involved.
Hal
