[openssl-users] Truncating A Hash
jb-openssl at wisemo.com
Mon May 25 15:01:32 UTC 2015
On 15-05-2015 00:09, Jay Foster wrote:
> What is the down side of truncating a hash? For example, an SHA-256
> hash is 256 bits. Is it any less secure if one was to drop the last
> 128 bits to make a 128 bit hash or take the MD5 hash of the SHA-256
> hash to get a 128 bit hash? It does not seem that such an action
> would make it any easier to brute force reverse the hash, but then
> again, I am clearly not a security expert.
In addition to the previous 3 answers, "recent" versions
of the official SHA-256 standard (US Federal Information
Processing Standard 180-4) specify that if you want to
truncate SHA-512 or any of the other "SHA-2" hashes, then
you are supposed to change the initial state at the start
of the calculation to a value that depends on how many
bits you are going to keep.
The alternate start value is specified for SHA-512/128
(which is the same as SHA-384/128) via a formula (which
is somewhat underspecified, check that your
interpretation provides the correct values for
SHA-512/256). There is currently no clear formula for
SHA-256/t and thus SHA-256/128.
Note that unless otherwise specified in another official
standard (such as NIST Special Publication 800-107),
only the specific truncations SHA-512/256 and SHA-512/224
are approved for use by/for the US government. This is
purely a bureaucratic requirement, there is no known
security reason for the rest of the world to follow this
latter limitation to the letter.
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users