in reply to Why applying MD5 hash twice?

The problem is that available iterative hash function are vulnernable to length extension attacks. MD5 and SHA-1 construct the hash by iterating over blocks of data and using the earlier hash to construct later ones. It is possible to construct a new hash and message from the original hash by appending extra data to the end of the original message. This extra data turns out to be random junk, but it can be calculated.

One simple solution is to include the length of the message in hash computation: H(K, L, M). This protects the length from being tampered with. MD5 puts the length at the end where it is vulnerable.

Another solution is to validate the message by parsing it. If the parsing find random junk at the end, then you know it has been tampered with. However, the important authentication data is safe.

Finally, you can compute the hash twice. The best construction is: H(K, H(K, M)). The simplest solution is to use Digest::HMAC. This isn't expensive to compute because the second hash is done over a small amount of data.

Replies are listed 'Best First'.
Re: Re: Why applying MD5 hash twice?
by huguei (Scribe) on Sep 10, 2003 at 20:57 UTC

    Thanks!
    in my case, i use data validation, parsing the message, prior to calculate the hash. I imagined that with this approach we can't receive tampered end data.

[reply]

In Section Seekers of Perl Wisdom