MD5 considered harmful today, SHA-1 considered harmful tomorrow
Weger, B.M.M. de
b.m.m.d.weger at TUE.nl
Sat Jan 10 17:32:44 EST 2009
Hi Victor,
> Bottom line, anyone fielding a SHA-2 cert today is not going
> to be happy with their costly pile of bits.
Will this situation have changed by the end of 2010 (that's
next year, by the way), when everybody who takes NIST seriously
will have to switch to SHA-2? The first weakness shown in MD5
was not in 2004 but in 1995. Apparently it takes a very long
time before the awareness about the implications of using
weakened or broken crypto has reached a sufficient level. Though
I understand the practical issues you're talking about, Victor,
my bottom line is different.
In my view, the main lesson that the information security community,
and in particular its intersection with the application building
community, has to learn from the recent MD5 and SHA-1 history,
is that strategies for dealing with broken crypto need rethinking.
[[Maybe in the previous sentence the word "intersection" should be
replaced by "union".]]
Grtz,
Benne de Weger
PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/)
offering the video and audio files of the 25c3 presentation "MD5
considered harmful today", provide for integrity checking of those
files their, uhm, MD5 hashes.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list