[openssl-users] Truncating A Hash

Viktor Dukhovni openssl-users at dukhovni.org
Thu May 14 22:43:34 UTC 2015

On Thu, May 14, 2015 at 03:09:10PM -0700, Jay Foster wrote:

> What is the down side of truncating a hash?  For example, an SHA-256 hash is
> 256 bits.  Is it any less secure if one was to drop the last 128 bits to
> make a 128 bit hash

Yes, a truncated hash is less secure against both collision and
2nd-preimage attacks.

> or take the MD5 hash of the SHA-256 hash to get a 128
> bit hash?

This would not help.

> It does not seem that such an action would make it any easier to
> brute force reverse the hash, but then again, I am clearly not a security
> expert.

Hashes are not encryption algorithms, and dictionary attacks to
discover the original input are not the primary attacks of interest.

In the special case where hashes are used for verifying passwords,
suitably salted and extensively iterated hashes can be truncated
to shorter lengths that still avoid false positives with wrong
passwords, because protection against dictionary attacks comes from
salting and high iteration count (PBKDF2 or similar with 10^5
iterations or more) not the hash length.


More information about the openssl-users mailing list