Newsgroups: sci.crypt Path: cactus.org!milano!cs.utexas.edu!wupost!uunet!cis.ohio-state.edu!magnus. + acs.ohio-state.edu!masic From: masic@magnus.acs.ohio-state.edu (Miroslav D Asic) Subject: Re: IBM-PC random generator, source included Message-ID: <1992Jun29.003532.1663@magnus.acs.ohio-state.edu> Summary: CRC is not safe Keywords: MD5, hashing, CRC Sender: news@magnus.acs.ohio-state.edu Nntp-Posting-Host: top.magnus.acs.ohio-state.edu Organization: The Ohio State University References: <1992Jun26.080402.27283@ncar.ucar.edu> <1992Jun26.231556. + 4588@cactus.org> <1992Jun27.005817.21922@ncar.ucar.edu> Date: Mon, 29 Jun 1992 00:35:32 GMT Lines: 42 In article <1992Jun27.005817.21922@ncar.ucar.edu> prz@sage.cgd.ucar.edu (Philip Zimmermann) writes: >In article <1992Jun26.231556.4588@cactus.org> ritter@cactus.org (Terry Ritter) writes: >> >> In <1992Jun26.080402.27283@ncar.ucar.edu> prz@sage.cgd.ucar.edu >> (Philip Zimmermann) writes: >> ...... >This is the nature of the avalanche effect of a perfect hash function-- >I was using MD5 as an example. You can replace it with any other stronger >hash. If your hash is perfect, there is indeed reason to believe that >the essential randomness will be avalanched throughout the output, regardless >of which bits were the random bits in the input. >> >> If we want every bit of the output to depend on every >> bit of the input we could use CRC's. > ^^^^^^^^^^^^^^^^^^^ >I wouldn't trust a CRC for this. If your hash is one-way, and >cryptographically strong, it would hide any patterns in the imperfect ^^^^^^^^^^^^^^^^^^^^^^^^^ >noisy input. CRC is not as good as MD5 for this. ^^^^^^^^^^^^^^^^^^^^^^^^^ ... ... That's a mild understatement! It appears from this (and some earlier postings) that quite a few people believe that CRC has some cryptographic value. An article in Dr. Dobb's Journal (May 1992) suggests that it could be used to detect a virus infested file (giving a warning that `an exceptionally clever' virus might be able to fool CRC). CRC was not designed for that and should *not* be used for that. Specifically, it is _easy_ to: - Find two different files with the same CRC; - Construct a file with an arbitrary CRC (given in advance). These two are (allegedly) computationally infeasible when MD5 or the proposed SHA are used. CRC is a great tool to detect accidental changes to files, but to use it in cryptography is downright dangerous. Cheerio, Miroslav -- ***** Miroslav D. Asic, Dept. of Math., The Ohio State Univ. ***** ***** masic@magnus.acs.ohio-state.edu or asic.1@ohstmail *****