Security Basics: Re: MD5-Hash of a SHA-1-Hash unsecure?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Basics mailing list archives

Re: MD5-Hash of a SHA-1-Hash unsecure?

From: jason.gerfen () gmail com
Date: 5 Dec 2008 17:00:31 -0000

So your just using the md5 hash as a unique IV?

It might be a bit more secure to use something like rand() for your IV.

If you were really going to do that correctly you would not transmit the sha1 hash at all. You could use that sha1 hash 
as a private key for the user (keep it stored on their machine as it is more secure then sending it over the wire)

Then generate a md5 of the sha1 (private key) and transmit that to the server as a public key which can be shared with 
co-workers, friends etc.

To generate a secure IV, I would use some more random like rand() or something equivalent.

Just my two cents.

http://phpdhcpadmin.sourceforge.net

By Date By Thread

Current thread:

MD5-Hash of a SHA-1-Hash unsecure? Andre Pawlowski (Dec 05)
- RE: MD5-Hash of a SHA-1-Hash unsecure? David Gillett (Dec 08)
  - Re: MD5-Hash of a SHA-1-Hash unsecure? Andre Pawlowski (Dec 08)
- Re: MD5-Hash of a SHA-1-Hash unsecure? Alexander Klimov (Dec 08)
- <Possible follow-ups>
- Re: MD5-Hash of a SHA-1-Hash unsecure? jason . gerfen (Dec 05)
- Re: MD5-Hash of a SHA-1-Hash unsecure? Tom Ritter (Dec 08)
- Re: Re: MD5-Hash of a SHA-1-Hash unsecure? asdfs (Dec 09)