MD5 considered harmful today, SHA-1 considered harmful tomorrow

Victor Duchovni Victor.Duchovni at morganstanley.com
Fri Jan 9 23:09:07 EST 2009


On Thu, Jan 08, 2009 at 06:23:47PM -0600, Dustin D. Trammell wrote:

> Nearly everything I've seen regarding the proposed solutions to this
> attack have involved migration to SHA-1.  SHA-1 is scheduled to be
> decertified by NIST in 2010, and NIST has already recommended[1] moving
> away from SHA-1 to SHA-2 (256, 512, etc.).  Collision attacks have
> already been demonstrated[2] against SHA-1 back in 2005, and if history
> tells us anything then things will only get worse for SHA-1 from here.
> By not moving directly to at least SHA-2 (until the winner of the NIST
> hash competition is known), these vendors are likely setting themselves
> up for similar attacks in the (relatively) near future.

All fine and good, but no existing OpenSSL release (including
0.9.9-dev) will by default inter-operate with the resulting (SHA2)
certificates. The SSL_library_init() call only initializes "ssl"
ciphers and digests, which do not include SHA-2. So most SSL
applications won't be able to verify the certificate signatures.
One needs to call OpenSSL_add_all_algorithms() before SHA-2
signed certificates work.

Bottom line, anyone fielding a SHA-2 cert today is not going to be happy
with their costly pile of bits.

-- 
	Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list