Crypto '09 rump session summary?

Greg Rose ggr at qualcomm.com
Wed Aug 19 17:46:10 EDT 2009 

Target collisions for MD5 can be calculated in seconds on a laptop,  
based on just a small change in the first block of input. There was  
also a semi-successful demo of MD5 certificate problems; you could  
join the special wireless network, and any https connection would be  
silently proxied using the fake CA certificate generated a few months  
ago. (You had to set your clock back to 2004, though, since the CA  
certificate was intentionally generated to be long expired).

The SHA-1 attack complexity of 2^52 was a correct improvement to an  
incorrect result. Don't currently have an accurate estimate; IIUC it's  
bounded above by 2^56.

The related-key attacks on AES have been extended to AES-192, and also  
to some sort of non-standard AES-128, but it wasn't clear to me what  
it was that they did. AES-128 as standardized is still (and likely to  
remain) safe.

The National Museum of Computing (at Bletchley Park in England) is  
doing interesting stuff, but is still starved for cash. There is a  
501(c)3 you can donate to for tax deductibility and corporate  
matching, if people want to donate.

Don't run algorithms on secret data in the cloud; it's not too  
difficult for an attacker to get themselves assigned to the same  
machine and use timing/cache attacks to recover your keys.

(At that point I was tired and inebriated and left.)

Greg.

On 2009 Aug 19, at 2:01 , Perry E. Metzger wrote:

>
> Watching the rump session online briefly last night, I saw that some
> interesting new results on MD5 and AES seem to have been discussed at
> the conference. Would anyone care to give us a brief overview for the
> mailing list?
>
> Perry
> --
> Perry E. Metzger		perry at piermont.com
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list