SHA-1 collisions now at 2^{52}?

[Peter Gutmann]

"Perry E. Metzger" <perry at piermont.com> writes:
>Greg Rose <ggr at qualcomm.com> writes:
>> It already wasn't theoretical... if you know what I mean. The writing
>> has been on the wall since Wang's attacks four years ago.
>
>Sure, but this should light a fire under people for things like TLS 1.2.

Why?

Seriously, what threat does this pose to TLS 1.1 (which uses HMAC-SHA1 and
SHA-1/MD5 dual hashes)?  Do you think the phishers will even notice this as
they sort their multi-gigabyte databases of stolen credentials?

The problem with TLS 1.2 is that it completely breaks backwards compatibility
with existing versions, it's an even bigger break than the SSL -> TLS
changeover was.  If you want something to incentivise vendors to break
compatibility with the entire deployed infrastructure of TLS devices, the
attack had better be something pretty close to O( 1 ), preferably with
deployed malware already exploiting it.

Ten years ago you may have been able to do this sort of thing because it was
cool and the geeks were in charge, but today with a deployed base of several
billion devices (computers, cellphones, routers, printers, you name it) the
economists are in charge, not the cryptographers, and if you do the sums TLS
1.2 doesn't make business sense.  It may be geeky-cool to make the change, but
geeky-cool isn't going to persuade (say) Linksys to implement TLS 1.2 on their
home routers.

(I can't believe I just said that :-).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com