Reputation: 618
Using hash collisions to enhance security?
It's a massive task to create a rainbow table of all possible hashes for a given range (strings of length x) but some have already been composed for methods such as MD5. So surely it's an exponentially larger task to compose a table of known collisions for any given cryptographic hash?
Is there any potential to use collisions to help secure systems because they are harder to find than the hashes themselves?
Perhaps not because there would be very few of these and those discovered would be a small set and actually make for a very small set of permutations from which to create a collision rainbow table?
Just thinking aloud. Might this be useful at all?
Upvotes: 0
Views: 48
Answers (1)
Reputation: 112875
The typical solution to improving the security over MD5 or any cryptographic hash function is iteration.
Just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2 (aka Rfc2898DeriveBytes), password_hash, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.
This is not exponential but is a substantial increase in the work factor to an attacker. My laptop can perform a 20 byte SHA512 operation in under 1us so 100ms is a 5 order of magnitude increase in the work factor.
Upvotes: 1
Related Questions
- One way functions, Hash algorithms
- Comparing hashes to test for collisions
- Reducing size of hash
- Is non destructive hash post processing a good idea?
- Do we use hash functions for anything 'critical' under the assumption that collisions will never occur?
- How to handle hash collisions?
- Our purpose on hashing
- best way to resolve collisions in hashing strings
- Password hashing: Is this a way to avoid collisions?
- Intentional Hashing Collisions