> On May 6, 2019, at 7:18 AM, Hubert Kario <hka...@redhat.com> wrote:
>
> ncatenation: To strengthen protocols against collisions in any one
> hash function, it may be tempting to use a combination of two
> independent hash functions. For example, TLS versions up to 1.1 use a
> concatenation of MD5 and SHA-1. While the output length of this
> construction is 288 bits, it does not offer the security of a
> 288-bit
> hash function. In particular, Joux described a multi-collision attack that
>
> breaks the concatenation of two hash functions with roughly the same
>
> effort as breaking the strongest one of the two [18].
With the proviso that the attack on the second hash function is *generic*
(i.e. 2^{n/2} brute-force). Thus the attack on SHA-1 + MD5, has a cost
of 64 * cost of SHA-1 collision + O(2^64) MD5 operations (with the associated
memory costs of finding the collision).
Yes, it is far from as strong as a real 288-bit hash, and one would not
choose the construction in a new standard, but in *practice* it is likely
stronger than SHA-1, even if it is far from the strength one might naïvely
hope for.
The hypothetical Joux multi-collision attack on SHA1-MD5 would have to attack
the protocol in a way that can make use of collisions rather than the much
harder to find pre-images. Are you aware of any attacks that reduce the
pre-image resistance of SHA-1+MD5 to that of SHA-1?
There's quite a gap between (rightly) concluding that concatenated hash
functions are not a good crypto building block, to concluding that a
particular construction is no stronger in practice in a particular
protocol.
Which is not to say that I have a concrete stength estimate for SHA-1+MD5
vs. SHA-1 in TLS. Rather, the practical implication of the multi-collisions
attacks is more subtle than the basic theoretical conclusion that invalidates
their naïve strength estimate.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
