Here's another splint using the same general idea, but with less complexity: calculate the hash once then prepend that to the message and hash again, i.e. hash3(M) := hash1[hash1(M) (+) M]
This is Schneier's and Ferguson's solution to then-known hash function weaknesses in Practical Cryptography, Wiley Publishing, 2003:
"We do not know of any literature about how to fix the hash functions, but here is what we came up with when writing this book. ... Let h be one of the hash functions mentioned above. Instead of m->h(m), we use m->h(h(m) || m) as hash function. Effectively we put h(m) before the message we are hashing. This ensures that the iterative hash computations immediately depend on all the bits of the message, and no partial-message or length extension attacks can work. ... The disadvantage of this approach is that it is slow ... Another disadvantage is that this approach requires the whole message m to be buffered. You can no longer compute the hash of a stream of data as it passes by" (p. 93).
Cheers, Ivan.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
