5

I read this interesting question on why improvising your own Hash function out of existing hash functions is bad. However this is specifically focusing on 'mixing' existing hashfunctions. What if for instance, I modify the per-round shifts of the MD5 hashfunction? Example:

Shifts rounds as of now 

s[ 0..15] := { 7, 12, 17, 22,  7, 12, 17, 22,  7, 12, 17, 22,  7, 12, 17, 22 }
s[16..31] := { 5,  9, 14, 20,  5,  9, 14, 20,  5,  9, 14, 20,  5,  9, 14, 20 }
s[32..47] := { 4, 11, 16, 23,  4, 11, 16, 23,  4, 11, 16, 23,  4, 11, 16, 23 }
s[48..63] := { 6, 10, 15, 21,  6, 10, 15, 21,  6, 10, 15, 21,  6, 10, 15, 21 }

My own slightly adjusted shift rounds

s[ 0..15] := { 5, 14, 19, 22,  5, 14, 19, 22,  5, 14, 19, 22,  5, 14, 19, 22 }
s[16..31] := { 6, 12, 14, 21,  6, 12, 14, 21,  6, 12, 14, 21,  6, 12, 14, 21 }
s[32..47] := { 4, 11, 16, 23,  4, 11, 16, 23,  4, 11, 16, 23,  4, 11, 16, 23 }
s[48..63] := { 7,  9, 11, 17,  7,  9, 11, 17,  7,  9, 11, 17,  7,  9, 11, 17 }

These changes change the outcome of my 'own' hashfunction drastically. This is just one small example to change. My reasoning behind this is that it temporarily prevents Rainbow attacks. If I have some sloppy users with passwords like thisisnopassword, pandabear & 12346 they would be sligtly safer after my database would be hacked as no Rainbow tables exist for 'my' hash.

By the way, I chose the per-round shift amounts is because I couldn't find a clear rationale on why they were specifically chosen, see this question.

Community
  • 1
Thomas Wagenaar
  • 343
  • 1
  • 7
  • 2
    Why would you do this? There are [easier ways](https://en.wikipedia.org/wiki/Salt_%28cryptography%29) to avoid rainbow table attacks. – fNek Oct 12 '15 at 17:33
  • I understand, but is a salt of my 'own' hashfunction not just a tiny bit safer? – Thomas Wagenaar Oct 12 '15 at 17:37
  • 3
    What's easier, re-implementing MD5 with some slight tweaks (and having no inter-operability with standard libraries), or calling a function with an extra parameter (salt)? I also see no reason this is any more secure than using a random salt. – puzzlepalace Oct 12 '15 at 17:42
  • @Philipp I am not 'rolling on my own', I am merely changing a small feature that does not expose any holes whatsoever. See my linked question at the bottom of my original question. – Thomas Wagenaar Oct 12 '15 at 17:49
  • 2
    @ThomasW One thing to keep in mind is that the chosen per round shifts, constants, etc are chosen to help maximize unique outputs. By changing them you could create a situation where collisions are more likely, and therefore a more cryptographically insecure hashing function. – RoraΖ Oct 12 '15 at 18:01
  • 1
    @ThomasW Reading the answer to that question, you ARE exposing holes because you are making the algorithm weaker by using less ideal values. – Philipp Oct 12 '15 at 18:02
  • Also relevant: ["How weak is MD5 as a password hashing function ?"](https://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function) – Philipp Oct 12 '15 at 18:12
  • 1
    @ThomasW, the S-boxes of DES are a "small feature", but changing them blindly makes the algorithm vulnerable to [differential cryptanalysis](https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.27s_involvement_in_the_design). – Mark Oct 12 '15 at 18:44
  • 2
    [Why improvising your own Hash function out of existing hash functions is so bad](https://security.stackexchange.com/questions/33531/why-improvising-your-own-hash-function-out-of-existing-hash-functions-is-so-bad) seems relevant. – Neil Smithline Oct 12 '15 at 18:45
  • 1
    You should not be considering MD5, modified or otherwise. See [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846) – Neil Smithline Oct 12 '15 at 18:47
  • Every expert says "Why roll your own...". I understand why the reason exists. Probably some people don't trust the experts. Since they are the experts how can one tell if there is a backdoor or not? But if everybody would roll their own, any backdoor in the "standard" way of doing it would be meaningless. I also understand why should not roll your own, for the many reasons enumerated time and time again. – Rudy Oct 12 '15 at 21:39

2 Answers2

15

Changing shift rounds blindly has undefined effect on strength. E.g., you could have similar amount of collisions, you could have orders of magnitude more amounts of collisions, shift rounds defined initially have known probability of collisions, shift rounds changed randomly do not.

Listen to folks above, use salting, it's specifically used to serve your purpose. Altering the engine of the car you're driving is a funny sport with fatal outcomes.

Eugene
  • 441
  • 3
  • 3
4

If you have the knowledge to be able to adequately test the effects of your changes on the security, or otherwise, of the result then of course you should go ahead!

The problem is that the old saying 'don't roll your own' with crypto is well founded because it seems easy to think of how you might do it yourself, but unless we are well informed, testing crypto strength is as complex, if not more so, than coming up with new algorithms.

Make your changes, publish them along with the explanation and, where possible, demonstration of improved security, have your work peer reviewed by Crypto experts, and you're done. If you can't do any or all of these steps then leave it to people who spend their lives dedicated to getting it right.

Mind you - you could say that about a lot of things in life :)

David Scholefield
  • 1,824
  • 12
  • 21
  • There's a lot to like in this answer, but this answer seems potentially a bit misleading in some respects. No one knows how to mathematically prove that MD5 is secure, or to mathematically prove that a small tweak to MD5 (such as suggested in the question) preserves its security properties. No one -- not even crypto experts. We'd love to be able to do that, but it's beyond the state of the art. Mentioning that might make the answer stronger. – D.W. Oct 12 '15 at 21:30
  • I agree - the use of the word 'proof' is misleading and I've changed to 'demonstrate' or 'explain'. It doesn't seem strong enough wording but I can't think of an alternative. – David Scholefield Oct 13 '15 at 06:04