Adam Shostack (adam@homeport.org)
Tue, 30 Jun 1998 08:18:19 -0400 (EDT)
Greg Rose wrote:
| If you do, indeed, want to truncate a hash, it is better to fold in the
| excess bits with an XOR instead of just dropping them; while this doesn't
| change the brute-force complexity, it defeats some amount of
| precomputation, and if the hash has some kinds of faults (eg. COMP128 I
| think) it can actually defend against the reversal.
Folding in the final bits also prevents people from
optimmizing out any part of the final round, which is sometimes a
useful optimization of an attack.
As Perry points out, this is really only useful in the case of
very low security applications, where a break is expected in other
ways. I've used folded hashes for licensing applications, where the
expected break is not in the hash, but changing around the if
statements around the licensing. Using a shorter hash makes it easier
to do tech support, since you're reading off smaller strings of data.
Adam
-- "It is seldom that liberty of any kind is lost all at once." -Hume
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:14 ADT