|
Security Basics
mailing list archives
Re: MD5-Hash of a SHA-1-Hash unsecure?
From: Alexander Klimov <alserkli () inbox ru>
Date: Mon, 8 Dec 2008 12:45:49 +0200 (IST)
On Fri, 5 Dec 2008, Andre Pawlowski wrote:
I've written a program which can store files encrypted (
http://h4des.org/index.php?inhalt=kastalia ). The user enters a
password when he wants to encrypt a file. The programm makes a
SHA-1-Hash of this password and transfers it from the browser to the
server. When the encryption starts, the program makes a MD5-Hash of
this SHA-1-Hash for the IV of the blowfish algorithm.
Here is my question: Is it less secure when I make a MD5-Hash of a
SHA-1-Hash?
Depending on encryption mode, IV must be either random or unique and
thus from the cryptography point of view, using the same IV is wrong,
on the other hand the problem is rather theoretical for the target
audience of a system that
has the option to store the files encrypted on the server so
the user can be sure his files are securely safed. [...] Even
though the files are stored encrypted on the server they must
be transfered to the user unencrypted.
One who cares about security would rather use GnuPG (or 7-Zip)
to encrypt files locally.
--
Regards,
ASK
 By Date 
By Thread
Current thread:
| 
Intro
