SHA-1 cracked
John Kelsey
kelsey.j at ix.netcom.com
Thu Feb 17 10:20:07 EST 2005
>From: Ian G <iang at systemics.com>
>Sent: Feb 16, 2005 5:33 PM
>To: "Steven M. Bellovin" <smb at cs.columbia.edu>
>Cc: cryptography at metzdowd.com
>Subject: Re: SHA-1 cracked
>Stefan Brands just posted on my blog (and I saw
>reference to this in other blogs, posted anon)
>saying that "it seems that Schneier forgot to
>mention that the paper has a footnote which
>says that the attack on full SHA-1 only works
>if some padding (which SHA-1 requires) is not
>done."
Anyone know where we could find the paper? It'd be kind-of convenient when trying to assess the impact of the attack if we knew at least a few details....
If it's really the case that the attack requires colliding messages of different sizes (that's what this comment implies), then maybe the attack won't be applicable in the real world, but it's hard to be sure of that. Suppose I can find collisions of the form (X,X*) where X is three blocks long, and X* is four blocks long. Now, that won't work as a full collision, because the length padding at the end will change for X and X*. But I can find two such collisions, and still get a working attack by concatenating them.
>iang
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list