MD5 considered harmful today, SHA-1 considered harmful tomorrow

Weger, B.M.M. de b.m.m.d.weger at TUE.nl
Sat Jan 10 17:32:44 EST 2009


Hi Victor,

> Bottom line, anyone fielding a SHA-2 cert today is not going 
> to be happy with their costly pile of bits.

Will this situation have changed by the end of 2010 (that's
next year, by the way), when everybody who takes NIST seriously 
will have to switch to SHA-2? The first weakness shown in MD5
was not in 2004 but in 1995. Apparently it takes a very long
time before the awareness about the implications of using
weakened or broken crypto has reached a sufficient level. Though
I understand the practical issues you're talking about, Victor,
my bottom line is different.

In my view, the main lesson that the information security community, 
and in particular its intersection with the application building 
community, has to learn from the recent MD5 and SHA-1 history,
is that strategies for dealing with broken crypto need rethinking.

[[Maybe in the previous sentence the word "intersection" should be 
replaced by "union".]]

Grtz,
Benne de Weger

PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/) 
offering the video and audio files of the 25c3 presentation "MD5 
considered harmful today", provide for integrity checking of those 
files their, uhm, MD5 hashes.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list