Crypto '09 rump session summary?
Greg Rose
ggr at qualcomm.com
Wed Aug 19 17:46:10 EDT 2009
Target collisions for MD5 can be calculated in seconds on a laptop,
based on just a small change in the first block of input. There was
also a semi-successful demo of MD5 certificate problems; you could
join the special wireless network, and any https connection would be
silently proxied using the fake CA certificate generated a few months
ago. (You had to set your clock back to 2004, though, since the CA
certificate was intentionally generated to be long expired).
The SHA-1 attack complexity of 2^52 was a correct improvement to an
incorrect result. Don't currently have an accurate estimate; IIUC it's
bounded above by 2^56.
The related-key attacks on AES have been extended to AES-192, and also
to some sort of non-standard AES-128, but it wasn't clear to me what
it was that they did. AES-128 as standardized is still (and likely to
remain) safe.
The National Museum of Computing (at Bletchley Park in England) is
doing interesting stuff, but is still starved for cash. There is a
501(c)3 you can donate to for tax deductibility and corporate
matching, if people want to donate.
Don't run algorithms on secret data in the cloud; it's not too
difficult for an attacker to get themselves assigned to the same
machine and use timing/cache attacks to recover your keys.
(At that point I was tired and inebriated and left.)
Greg.
On 2009 Aug 19, at 2:01 , Perry E. Metzger wrote:
>
> Watching the rump session online briefly last night, I saw that some
> interesting new results on MD5 and AES seem to have been discussed at
> the conference. Would anyone care to give us a brief overview for the
> mailing list?
>
> Perry
> --
> Perry E. Metzger perry at piermont.com
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list