Multiple keys/methods per key exchange (e.g. multi-md5-sha1-md4 at libssh.org) Re: [PATCH] curve25519-sha256 at libssh.org key exchange proposal

Irek Szczesniak iszczesniak at gmail.com
Thu Sep 26 02:26:42 EST 2013


On Wed, Sep 25, 2013 at 5:40 PM, Christian Weisgerber
<naddy at mips.inka.de> wrote:
> Roland Mainz <roland.mainz at nrubsig.org> wrote:
>
>> Is it usefull to combine multiple hash algorithms/methods for a key exchange ?
>>
>> The idea would be to use something like "md5" and "sha1" in a key
>> exchange (and append the hash sums) ... individually there are
>> obsolete and more or less cracked or have serious weaknesses, but if
>> the hash sums are combined (e.g. appended... *NOT* XOR'ed !) it would
>> be near impossible to exploit the known weaknesses for reasonable
>> small data.
>
> In general, this is not a good idea, see
>
> Antoine Joux, "Multicollisions in iterated hash functions. Application
> to cascased constructions"
> http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf

I see one merit: If openssh combines multiple hash algorithms a single
exploit in a single hash algorithms has no use. That would guard
against sneaky NSA&fellows and their happy
sure-we-can-never-crack-because-we-designed-it-that-way SHA2.

If you'd read the commendatory on the Snowden papers you'd seen the
comment that the NSA can handle SHA2 much faster than AES-256 so
anything based on that can no longer be considered 'secure'.

Irek


More information about the openssh-unix-dev mailing list