Malicious SHA-1 (2014)

[purkka]

> H0(H1(m)) has the security of just H0. Hashes are not made to protect the content of m, but instead made to test the integrity of m. As such, a flaw in H0 will break the security guarantee, no matter how secure H1 is.

But this isn't true for all flaws. For example, even with the collision attacks against SHA-1, I don't think they're even remotely close to enabling a collision for SHA-1(some_other_hash(M)).

Similarly, HMAC-SHA-1 is still considered secure, as it's effectively SHA-1-X(SHA-1-Y(M)), where SHA-1-X and SHA-1-Y are just SHA-1 with different starting states.

So there's some value to be found in nesting hashes.

[1]: https://en.wikipedia.org/wiki/HMAC#Definition

[Genbox]

We are saying the same thing. H0 is SHA-1 in your example.

The strength of an HMAC depends on the strength of the hash function; however, since it uses two derived keys, the outer hash protects the inner hash (using the same hash function), which in turn provides protection against length extension attacks.

The case I was making, is that weakhash(stronghash(m)) has the security of weakhash, no matter how strong stronghash is.

[purkka]

> The case I was making, is that weakhash(stronghash(m)) has the security of weakhash, no matter how strong stronghash is.

I'll have to disagree. There are no known collision attacks against SHA-1(SHA-3(M)), so in the applied case, a combination can be more secure for some properties, even if it isn't in the theoretical case.

[rurban]

There is only SHA-1 with a fixed starting state!

Once you change the IV the hash becomes entirely insecure and can be broken in seconds. You just need to overwrite the first IV word with 0, and it's broken. It's a very weak and fragile hash function. They demonstrated it with internal constants K1-K4, but the IV is external, and may be abused as random seed.