MD5 considered harmful today, SHA-1 considered harmful tomorrow
Paul Hoffman
paul.hoffman at vpnc.org
Sat Jan 17 15:03:57 EST 2009
At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
>When in 2012 the winner of the
>NIST SHA-3 competition will be known, and everybody will start
>using it (so that according to Peter's estimates, by 2018 half
>of the implementations actually uses it), do we then have enough
>redundancy?
No offense, Benne, but are serious? Why would "everybody" even consider it? Give what we know about the design of SHA-2 (too little), how would we know whether SHA-3 is any better than SHA-2 for applications such as digital certificates?
In specific, if most systems have implemented the whole SHA-2 family by the time SHA-3 is settled, and then there is a problem found in SHA-2/256, I would argue that it is probably much more prudent to change to SHA-2/384 than to SHA-3/256. SHA-2/384 will most likely be much than to SHA-3/256, but it will have had significantly more study.
It all depends on who you trust and why.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list