openssh unix dev - Sep 2013 - Multiple keys/methods per key exchange (e.g. multi-md5-sha1-md4@libssh.org) Re: [PATCH] curve25519-sha256@libssh.org key exchange proposal

On Tue, Sep 24, 2013 at 10:21 PM, Aris Adamantiadis <aris at 0xbadc0de.be>
wrote:
[snip]
> I've worked this week on an alternative key exchange mechanism, in
> reaction to the whole NSA leaks and claims over cryptographic backdoors
> and/or cracking advances. The key exchange is in my opinion the most
> critical defense against passive eavesdropping attacks.
> I believe Curve25519 from DJB can give users a secure alternative to
> classical Diffie-Hellman (with fixed groups or group exchanges) and
> NIST-approved elliptic curves.
[snip]

... that reminds me of an old idea (note: I'm no expert in this
stuff... which means the idea may be total nonsense... or not... :-)
):
Is it usefull to combine multiple hash algorithms/methods for a key exchange ?

The idea would be to use something like "md5" and "sha1" in
a key
exchange (and append the hash sums) ... individually there are
obsolete and more or less cracked or have serious weaknesses, but if
the hash sums are combined (e.g. appended... *NOT* XOR'ed !) it would
be near impossible to exploit the known weaknesses for reasonable
small data.

AFAIK the advantages would be:
- Existing hardware acceleration for md4/md5/sha1 can be used
- Even using something like md5+sha256 would mean additional
protection against weaknesses in either of the hash sum methods
- All algorithms can be executed in parallel (either different CPUs or
different crypto engines)

Note that the whole thing is not limited to two keys/methods, in
theory there could be something like
"multi-md5-sha1-md4-sha256 at libssh.org" to use md5, sha1, md4 and
sha256 hash sums.

Question is now... how mad/bad is the idea ?

----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix
programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)

Le 24/09/13 23:39, Roland Mainz a ?crit :
> Is it usefull to combine multiple hash algorithms/methods for a key
exchange ?
> 
> The idea would be to use something like "md5" and
"sha1" in a key
> exchange (and append the hash sums) ... individually there are
> obsolete and more or less cracked or have serious weaknesses, but if
> the hash sums are combined (e.g. appended... *NOT* XOR'ed !) it would
> be near impossible to exploit the known weaknesses for reasonable
> small data.
Hi,

That doesn't seem a very good idea. It is harmless, but currently we
still have no preimage attack on sha1, which would be needed to perform
such an attack. SHA2 is still very strong and that's what is used with
all ECDH key exchange. MD5 is used nowhere in SSH (and there's no
preimage attack for it either).
I am myself thinking of using SHA3 in sponge mode for the packet
authentication layer but it's probably overkill. Using existing crypto
correctly (like ETM mode) is probably more efficient.

Aris

Roland Mainz <roland.mainz at nrubsig.org> wrote:
> Is it usefull to combine multiple hash algorithms/methods for a key
exchange ?
> 
> The idea would be to use something like "md5" and
"sha1" in a key
> exchange (and append the hash sums) ... individually there are
> obsolete and more or less cracked or have serious weaknesses, but if
> the hash sums are combined (e.g. appended... *NOT* XOR'ed !) it would
> be near impossible to exploit the known weaknesses for reasonable
> small data.
In general, this is not a good idea, see

Antoine Joux, "Multicollisions in iterated hash functions. Application
to cascased constructions"
http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf

-- 
Christian "naddy" Weisgerber                          naddy at
mips.inka.de