MD5 considered harmful today, SHA-1 considered harmful tomorrow

[Marcus Brinkmann]

Weger, B.M.M. de wrote:
> In my view, the main lesson that the information security community, 
> and in particular its intersection with the application building 
> community, has to learn from the recent MD5 and SHA-1 history,
> is that strategies for dealing with broken crypto need rethinking.

On the other hand, compared to many other aspects of our security
infrastructure, even MD5 does quite well.  Of course, that is not meant
to be taken as an excuse.  I agree with your call to have smooth
transition systems to go from one cipher to another, but when to make
the transition is a difficult decision to make.

> PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/) 
> offering the video and audio files of the 25c3 presentation "MD5 
> considered harmful today", provide for integrity checking of those 
> files their, uhm, MD5 hashes.

It seems to me they are only provided to protect against transmission
errors, and they are fine for that.  Otherwise, it would be a more
serious mistake to transfer them in-band.  Security is a spectrum.

Thanks,
Marcus

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com