The combination does limit an attacker to having to create a message within much less leeway by removing the chosen prefix collision from the attacker's inventory.
http://www.win.tue.nl/hashclash/SoftIntCodeSign contains an example of two executables for which modified versions experienced an MD5 collision. Using these files, if Z1, Z2, and Z' are the respective sizes of the two files and the colliding pair's files (and denoting the md5 function as M(), then the combined values M(P)||Z1 != M(P')||Z2, but M(P||S)||Z' == M(P'||S')||Z' (although M(P)||Z1 != M(P'||S')||Z').
As a result, the attacker thus has to find a string of exactly the same length that results in the same hash value. Whether finding that is easier than finding a vulnerability in the 256-bit algorithm being used is left as an exercise to the reader. :)
In reply to Re: Speculation: 128-bit digest + 64-bit length (192-bits) is more reliable and unique than a 256-digest alone.
by atcroft
in thread (OT)Speculation: 128-bit digest + 64-bit length (192-bits) is more reliable and unique than a 256-digest alone.
by BrowserUk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |