MD5 considered harmful today, SHA-1 considered harmful tomorrow
Dustin D. Trammell
dtrammell at breakingpoint.com
Thu Jan 8 19:23:47 EST 2009
On Tue, 2008-12-30 at 11:51 -0800, "Hal Finney" wrote:
> Therefore the highest priority should be for the six bad CAs to change
> their procedures, at least start using random serial numbers and move
> rapidly to SHA1. As long as this happens before Eurocrypt or whenever
> the results end up being published, the danger will have been averted.
> This, I think, is the main message that should be communicated from this
> important result.
Nearly everything I've seen regarding the proposed solutions to this
attack have involved migration to SHA-1. SHA-1 is scheduled to be
decertified by NIST in 2010, and NIST has already recommended[1] moving
away from SHA-1 to SHA-2 (256, 512, etc.). Collision attacks have
already been demonstrated[2] against SHA-1 back in 2005, and if history
tells us anything then things will only get worse for SHA-1 from here.
By not moving directly to at least SHA-2 (until the winner of the NIST
hash competition is known), these vendors are likely setting themselves
up for similar attacks in the (relatively) near future.
[1] http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html
[2] http://www.cryptography.com/cnews/hash.html
--
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20090108/647f19e8/attachment.pgp>
More information about the cryptography
mailing list