4

Suppose I have a file verified.txt that has a certain hash X.

An attacker can form an impostor.txt that replicates the hash with different content, resulting in a collision for a given algorithm, and rendering the hash test useless.

However, could this be prevented by performing a second hash with a second algorithm, and comparing both hashes?

For example, are MD5 and SHA-1 dissimilar enough that a collision could not be created for both at once? Can I rely on the combination to be more secure?

mskfisher
  • 149
  • 4
  • 1
    Possible duplicate of [Using multiple hashes to verify a file](https://security.stackexchange.com/questions/184761/using-multiple-hashes-to-verify-a-file) and [What's the point of using multiple checksum algorithm with “aide”?](https://security.stackexchange.com/questions/26417/whats-the-point-of-using-multiple-checksum-algorithm-with-aide) and [maybe more](https://www.google.com/search?q=site%3Asecurity.stackexchange.com+use+multiple+hashes) – Steffen Ullrich May 29 '18 at 15:44
  • 1
    This is essentially a form of "roll your own hash" by combining two hash algorithms to create a 3rd. The general advice on this is don't. If your hash is broken such that it's possible to find a collision in a "reasonable" amount of time you should simply choose a different, more secure hash algorithm. – Steve Sether May 29 '18 at 16:07
  • @SteffenUllrich The questions are definitely dupes, but the answer doesn't seem very satisfying :/ – Mike Ounsworth May 29 '18 at 17:13
  • 2
    This one seems to have a fairly canonical answer from ThomasPornin: [Are different hash algorithms ever used together?](https://security.stackexchange.com/q/8940/61443) _"Concatenation (the data is hashed with both hash functions, the results are concatenated) yields a collision resistance equivalent to at least that of the strongest of the two functions (and, surprisingly, not really better than that)"_ – Mike Ounsworth May 29 '18 at 17:19
  • Another good answer from Polynomial: [Can I combine two of SHA-3 candidates cryptography hash functions and obtain more secure Algorithm? \[duplicate\]](https://security.stackexchange.com/q/20211/61443) – Mike Ounsworth May 29 '18 at 17:20

2 Answers2

2

Second hash will reduce probability of collision (i.e. it is more 'secure') but unfortunately it can not completely eliminate it.

From my point of view single long hash (such as sha512) is better than two short hashes because collision for two hashes can be searched in parallel and will take less time.

John Doe
  • 121
  • 4
  • 1
    a hash is a finite character set. there is 2^128 or 2^256 or 2^512 for most. so that being said, with infinite length files, there is always some combination that will result in 2 3 4 + hash collision possibilities. However, since brute forcing is the way to find collisions on most hashes, it's just not possible to find in a reasonable amount of time. If they started hashing a binary with todays gpus, they'd have trillions of years to find it. This is why you use 2 hashes, and to be safe, use 2 that aren't related, like sha512 and md5. since md5 is old, you can find another one (paranoia) – Robert Cotterman Dec 07 '20 at 17:29
2

A second hash will be more "secure", the question is if it's secure enough for your threat model.

To find a collision for the two given algorithms an attacker should find collisions for one of the algorithms and check if the collision happens using the other.

This is possible to achieve as the group of infinite inputs that produce a collision for algorithm A and the group of infinite inputs that produce a collision for algorithm B are probable to have a non null intersection.

In order to do that, the attacker should at least have the computer power to produce an MD5 collision AND a SHA1 collision.

Whether this is currently possible in an amount of time that would imply a risk is impossible to tell as there are no known collisions for both algorithms (MD5 and SHA1) at the same time

Note: This is assuming that there is no algorithm better than bruteforce to find a collision for the two algorithms at the same time, for which there is no evidence that it exist

Mr. E
  • 1,954
  • 9
  • 18