12

I was wondering if different hashes (e.g. md5(sha1($data)) ) are ever used together for data security and if there was any reason for it (either positive or negative answer).

Gurzo
  • 1,117
  • 6
  • 18
  • Cross-site duplicate: http://crypto.stackexchange.com/questions/270/guarding-against-cryptanalytic-breakthroughs-combining-multiple-hash-functions – Mechanical snail Nov 21 '12 at 07:49

2 Answers2

15

Using two hash functions together, as an extra safety against a breach of one of the functions, is delicate. Concatenation (the data is hashed with both hash functions, the results are concatenated) yields a collision resistance equivalent to at least that of the strongest of the two functions (and, surprisingly, not really better than that); on the other hand, concatenation makes preimage resistance no better than the weakest of the two functions. Composition (the data is hashed with one function, and the result is hashed with the other function) offers the opposite: preimage resistance is at least as good as the strongest of the two functions (subject to some definition subtleties, depending on whether you want resistance against recovering the data which was used, or just any message which yields the same output), but for collisions the weakest function defines the overall resistance.

So combining two hash functions together is, at best, a mixed blessing. SSL/TLS, up to TLS 1.1, combines MD5 and SHA-1 into its internal "PRF", which is notably used as a key derivation function (to extend the negotiated secret into keys for symmetric encryption and integrity control); both functions are used in HMAC and then turned into custom PRNG, and the two generated streams are XORed together. The intent was to have a key derivation function which resists cryptanalytic breaks of either MD5 or SHA-1 (whether this really works has not been formally proven; it really depends on the nature of the "break"). It is interesting to note that TLS 1.2 reverts to using a single (configurable) hash function. Combining two hash functions together means that you have to implement both, which is a problem for embedded systems which often have hard constraints on code size.

So the usual advice is: do not do it. It is hard to get it right, and even if you do not introduce any weakness, it is unclear whether you actually gain anything that way, security-wise. On the other hand, there are clear operational costs. It seems better to use a single, better hash function (which means: ditch MD5 and SHA-1, just use SHA-256 instead), with algorithm agility (make the hash function configurable, so that you could change it later on).

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • Do you have links explaining the concatenation and composition issues? I'm not a crypto guy, but I know a lot of people are going to read your answer and want to learn more. – Bradley Kreider Nov 16 '11 at 19:54
  • @rox0r: the answers to [this question](http://crypto.stackexchange.com/questions/270/guarding-against-cryptanalytic-breakthroughs-combining-multiple-hash-functions) are full of relevant links. – Thomas Pornin Nov 16 '11 at 20:06
5

Take a look at this question on Crypto.SE. There are some subtleties with this type of construction. For example, a collision for sha1 (the inner most hash function) in your example immediately yields a collision for the entire thing.

Concatenation of hashes is, surprisingly, only secure as the weakest of the hashes you use when it comes to preimage attacks (i.e., given x=hash(m), find m' such that hash(m')==x, where m' could be equal to m). For collisions, it is fairly strong, however.

As a side note, MD5 and SHA1 are weak and should not be used in new systems.

mikeazo
  • 2,827
  • 13
  • 29