SHA-1 collisions now at 2^{52}?

[Perry E. Metzger]

Peter Gutmann <pgut001 at cs.auckland.ac.nz> writes:
> "Perry E. Metzger" <perry at piermont.com> writes:
>>Greg Rose <ggr at qualcomm.com> writes:
>>> It already wasn't theoretical... if you know what I mean. The writing
>>> has been on the wall since Wang's attacks four years ago.
>>
>>Sure, but this should light a fire under people for things like TLS 1.2.
>
> Why?
>
> Seriously, what threat does this pose to TLS 1.1 (which uses HMAC-SHA1 and
> SHA-1/MD5 dual hashes)?

No immediate threat. The issue is that attacks only get better with
time. Now that we've seen this set of attacks, we can't be entirely sure
what will happen next. In three or five years, we may find that
HMAC-SHA1 is more easily attacked than it is now.

On the 1.2 issue, the real point of 1.2 is not to replace SHA-1 per se
but to permit us to deal with the situation where *any* algorithm proves
to be dangerously weak. We've learned this lesson several times now --
it is best to have protocols that can move to new crypto algorithms as
old ones need to be abandoned.

Note that I said "things like" TLS -- TLS is not the only issue. There
are many out there. There is no need to panic over any one of them, but
it would be good to get things replaced.

Right now, without much of a rush or any real anxiety about it we can
take the several years needed to move new mechanisms out. If we dither,
then in a few years we may find ourselves having a much less pleasant
transition where suddenly the problem isn't long term but immediate.

> Do you think the phishers will even notice this as they sort their
> multi-gigabyte databases of stolen credentials?

No, they clearly won't notice at all. However, lets broaden this and
consider not only phishermen but all attackers.

Remember, attackers go for the lowest hanging fruit, not for any
particular technique. They pick the weakest links available. The reason
bad crypto has not been an attack point is because other things have
been much easier to attack than the crypto. I would prefer to keep it
that way.

My worry isn't about the phishermen per se. My worry is about things we
haven't thought about -- tricks like the CA forgery trick lying in wait
for us. There are more and more things out there that depend on the
crypto being right -- things like signed software updates, people who
actually *need* authentication for life critical systems, etc. If we
clean things up now, in three or five or seven years we won't have to
rush.

There is no need to panic, but clearly the handwriting is on the
wall. The time to act is early when it is inexpensive to do so.

> It may be geeky-cool to make the change, but geeky-cool isn't going to
> persuade (say) Linksys to implement TLS 1.2 on their home routers.
>
> (I can't believe I just said that :-).

Home routers and other equipment last for years. If we slowly roll out
various protocol and system updates now, then in a number of years, when
we find ourselves with real trouble, a lot of them will already be
updated because new ones won't have issues. If we wait until things get
bad, then instead of being a natural part of the upgrade cycle things
get to be expensive and painful.

Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com