[tahoe-dev] SHA-1 broken!
Christian Rechberger
christian.rechberger at tugraz.at
Sun May 3 18:31:03 EDT 2009
Quoting "Perry E. Metzger" <perry at piermont.com>:
>
> Ray Dillinger <bear at sonic.net> writes:
>> I cannot derive a realistic threat model from the very general
>> statements in the slides.
>
> (BTW, you mean threat, not threat *model*, in this instance.)
>
> As just one obvious example of a realistic threat, consider that there
> are CAs that will happily sell you certificates that use SHA-1.
>
> Various clever forgery attacks have been used against certs that use
> MD5, see:
>
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Those attacks can now be extended to SHA-1 pretty easily. It might
It is in my opinion way to early to jump to this kind of conclusions:
Even if the new attack works are promised (and I have the feeling that
people are too optimistic here), there is the following issue:
* these advanced attacks against CAs do require a special type of
collision attack (the name "chosen-prefix attack" was coined), not a
"normal" collision attack we are talking about here for the case of
SHA-1. A chosen-prefix attack can be expected to be significantly
harder to perform than a "normal" attack. The link you provided should
contain a more in-depth discussion on this for the case of MD5.
Nevertheless, I agree that moving away from SHA-1 should be encouraged
(since 2005).
Best,
Christian
--
Christian Rechberger, Graz University of Technology, Austria.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list