MD5 considered harmful today, SHA-1 considered harmful tomorrow

Steven M. Bellovin smb at cs.columbia.edu
Sat Jan 17 11:24:08 EST 2009


On Mon, 12 Jan 2009 16:05:08 +1300
pgut001 at cs.auckland.ac.nz (Peter Gutmann) wrote:

> "Weger, B.M.M. de" <b.m.m.d.weger at TUE.nl> writes:
> 
> >> Bottom line, anyone fielding a SHA-2 cert today is not going=20
> >> to be happy with their costly pile of bits.
> >
> >Will this situation have changed by the end of 2010 (that's next
> >year, by the way), when everybody who takes NIST seriously will have
> >to switch to SHA-2?
> 
> I have a general outline of a timeline for adoption of new crypto
> mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically
> algorithms) in my Crypto Gardening Guide and Planting Tips,
> http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt, see
> "Question J" about 2/3 of the way down.  It's not meant to be
> definitively accurate for all cases but was created as a rough
> guideline for people proposing to introduce new crypto mechanisms to
> give an idea of how long they should expect to wait to see them
> adopted.
> 
My analysis is similar to Peter's: 2-3 years for an RFC, 2-3 years for
design/code/test, 2 years average delay for the next major release of
Windows which will include it, 5 years for most of the older machines to
die off.  

I've mentioned it before, but I'll point to the paper Eric Rescorla
wrote a few years ago:
http://www.cs.columbia.edu/~smb/papers/new-hash.ps or
http://www.cs.columbia.edu/~smb/papers/new-hash.pdf .  The bottom line:
if you're running a public-facing web server, you *can't* offer a SHA-2
certificate because you have no way of knowing if the client supports
SHA-2. Fixing that requires a TLS fix; see the above timeline for that.

-- 
		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list