[tahoe-dev] SHA-1 broken!

[Christian Rechberger]

Quoting "Perry E. Metzger" <perry at piermont.com>:

>
> Ray Dillinger <bear at sonic.net> writes:
>> I cannot derive a realistic threat model from the very general
>> statements in the slides.
>
> (BTW, you mean threat, not threat *model*, in this instance.)
>
> As just one obvious example of a realistic threat, consider that there
> are CAs that will happily sell you certificates that use SHA-1.
>
> Various clever forgery attacks have been used against certs that use
> MD5, see:
>
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Those attacks can now be extended to SHA-1 pretty easily. It might

It is in my opinion way to early to jump to this kind of conclusions:

Even if the new attack works are promised (and I have the feeling that  
people are too optimistic here), there is the following issue:

* these advanced attacks against CAs do require a special type of  
collision attack (the name "chosen-prefix attack" was coined), not a  
"normal" collision attack we are talking about here for the case of  
SHA-1. A chosen-prefix attack can be expected to be significantly  
harder to perform than a "normal" attack. The link you provided should  
contain a more in-depth discussion on this for the case of MD5.

Nevertheless, I agree that moving away from SHA-1 should be encouraged  
(since 2005).

Best,
  Christian

-- 
Christian Rechberger, Graz University of Technology, Austria.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com