[saag] status of SSL vs SHA-1/MD-5, etc.?
Steven M. Bellovin
smb at cs.columbia.edu
Sun Oct 16 09:46:12 EDT 2005
In message <4.3.2.7.1.20051015234218.0525d718 at mail.alten.org>, Alex Alten write
s:
>Everyone,
>
>So where do we stand with secure networking protocols vs SHA-1/MD-5?
>
>Is SSL at risk? Is TLS OK (because of HMAC)?
>
>SSH, IPSec, etc?
>
The major risk that I know of is for signed objects, which generally
means signed email, i.e., S/MIME and PGP. MD5 absolutely should not be
used for email, period. The current attack on SHA-1 is probably
infeasible for most attackers; that said, it would be better to have
something stronger. We'll know more about that in two weeks, after
NIST's Hash Function Workshop. As I mentioned on the cryptography list
-- did you really have to post your query to all three lists? -- a few
days ago, NSA rated SHA-384 as suitable for Top Secret traffic, though
I'll note that the authenticity of a message rarely has the long-term
need for security as does confidentiality.
As Eric Rescorla and I showed, though, none of the network protocols
are ready for deployment of a new hash function. That is, newer
versions of OpenSSL support may SHA-256, but there's no way to
negotiate such usage if you don't know the status of the system to
which you're talking.
My own estimate is that it will take 4-8 years before everything just
works: 1 year for the IETF to standardize negotiation mechanisms, 1-2
years for design, code, and test by vendors, and 2-5 years for
deployment by the user community -- note that most machines are *never*
upgrade, only replaced.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list