MD5 considered harmful today, SHA-1 considered harmful tomorrow
Darren J Moffat
Darren.Moffat at Sun.COM
Mon Jan 19 08:38:02 EST 2009
Paul Hoffman wrote:
> At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote:
>> When in 2012 the winner of the
>> NIST SHA-3 competition will be known, and everybody will start
>> using it (so that according to Peter's estimates, by 2018 half
>> of the implementations actually uses it), do we then have enough
>> redundancy?
>
> No offense, Benne, but are serious? Why would "everybody" even consider it? Give what we know about the design of SHA-2 (too little), how would we know whether SHA-3 is any better than SHA-2 for applications such as digital certificates?
>
> In specific, if most systems have implemented the whole SHA-2 family by the time SHA-3 is settled, and then there is a problem found in SHA-2/256, I would argue that it is probably much more prudent to change to SHA-2/384 than to SHA-3/256. SHA-2/384 will most likely be much than to SHA-3/256, but it will have had significantly more study.
Can you state the assumptions for why you think that moving to SHA384
would be safe if SHA256 was considered vulnerable in some way please.
SHA256,384,512 are a suite all built on the same basic algorithm
construction. Depending on how SHA256 fell the whole suite could be
vulnerable irrespective of the digest length or maybe it won't be.
Until we know how the SHA3 digest is actually constructed the same could
even be true of that.
I don't think it depends at all on who you trust but on what algorithms
are available in the protocols you need to use to run your business or
use the apps important to you for some other reason. It also very much
depends on why the app uses the crypto algorithm in question, and in the
case of digest/hash algorithms wither they are key'd (HMAC) or not.
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list