On 15-05-2015 00:09, Jay Foster wrote: > What is the down side of truncating a hash? For example, an SHA-256 > hash is 256 bits. Is it any less secure if one was to drop the last > 128 bits to make a 128 bit hash or take the MD5 hash of the SHA-256 > hash to get a 128 bit hash? It does not seem that such an action > would make it any easier to brute force reverse the hash, but then > again, I am clearly not a security expert. > In addition to the previous 3 answers, "recent" versions of the official SHA-256 standard (US Federal Information Processing Standard 180-4) specify that if you want to truncate SHA-512 or any of the other "SHA-2" hashes, then you are supposed to change the initial state at the start of the calculation to a value that depends on how many bits you are going to keep. The alternate start value is specified for SHA-512/128 (which is the same as SHA-384/128) via a formula (which is somewhat underspecified, check that your interpretation provides the correct values for SHA-512/256). There is currently no clear formula for SHA-256/t and thus SHA-256/128. Note that unless otherwise specified in another official standard (such as NIST Special Publication 800-107), only the specific truncations SHA-512/256 and SHA-512/224 are approved for use by/for the US government. This is purely a bureaucratic requirement, there is no known security reason for the rest of the world to follow this latter limitation to the letter. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
