MD5 considered harmful today, SHA-1 considered harmful tomorrow

[Darren J Moffat]

Paul Hoffman wrote:
> At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
>> When in 2012 the winner of the
>> NIST SHA-3 competition will be known, and everybody will start
>> using it (so that according to Peter's estimates, by 2018 half
>> of the implementations actually uses it), do we then have enough
>> redundancy?
> 
> No offense, Benne, but are serious? Why would "everybody" even consider it? Give what we know about the design of SHA-2 (too little), how would we know whether SHA-3 is any better than SHA-2 for applications such as digital certificates?
> 
> In specific, if most systems have implemented the whole SHA-2 family by the time SHA-3 is settled, and then there is a problem found in SHA-2/256, I would argue that it is probably much more prudent to change to SHA-2/384 than to SHA-3/256. SHA-2/384 will most likely be much than to SHA-3/256, but it will have had significantly more study.

Can you state the assumptions for why you think that moving to SHA384 
would be safe if SHA256 was considered vulnerable in some way please.

SHA256,384,512 are a suite all built on the same basic algorithm 
construction.  Depending on how SHA256 fell the whole suite could be 
vulnerable irrespective of the digest length or maybe it won't be.

Until we know how the SHA3 digest is actually constructed the same could 
even be true of that.

I don't think it depends at all on who you trust but on what algorithms 
are available in the protocols you need to use to run your business or 
use the apps important to you for some other reason.   It also very much 
depends on why the app uses the crypto algorithm in question, and in the 
case of digest/hash algorithms wither they are key'd (HMAC) or not.

-- 
Darren J Moffat

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com