SHA-1 collisions now at 2^{52}?

Eric Rescorla ekr at networkresonance.com
Sat May 2 12:58:39 EDT 2009


At Sat, 02 May 2009 21:53:40 +1200,
Peter Gutmann wrote:
> 
> "Perry E. Metzger" <perry at piermont.com> writes:
> >Greg Rose <ggr at qualcomm.com> writes:
> >> It already wasn't theoretical... if you know what I mean. The writing
> >> has been on the wall since Wang's attacks four years ago.
> >
> >Sure, but this should light a fire under people for things like TLS 1.2.
> 
> Why?
> 
> Seriously, what threat does this pose to TLS 1.1 (which uses HMAC-SHA1 and
> SHA-1/MD5 dual hashes)?  Do you think the phishers will even notice this as
> they sort their multi-gigabyte databases of stolen credentials?

Again, I don't want to get into a long argument with peter about TLS 1.1 vs.
TLS 1.2, but TLS 1.2 also defines an extension that lets the client tell
the server that it would take a SHA-256 certificate. Absent that, it's
not clear how the server would know. 

Of course, you could use that extension with 1.1 and maybe that's what the
market will decide...

-Ekr





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list