SHA-1 collisions now at 2^{52}?

[Peter Gutmann]

"Perry E. Metzger" <perry at piermont.com> writes:

>Home routers and other equipment last for years. If we slowly roll out
>various protocol and system updates now, then in a number of years, when we
>find ourselves with real trouble, a lot of them will already be updated
>because new ones won't have issues.

I'm not really sure if it works that way.  From my experience with SSH in
routers [0] I'd say it's more like:

  Binary images in routers last years.  If we deploy first-cut, buggy
  implementations of new protocols now, we'll have to support the bugs in a
  backwards-compatible manner for the rest of eternity.

That is, in the absence of widely-deployed, mature implementations to test
against, router vendors will (if they were to ship with this right now) deploy
pre-alpha quality code that would then be frozen for the rest of eternity.  I
have to maintain support for ten-year-old SSH bugs in my code because of ports
to... well, unnamed vendors' systems done a decade or so back that never get
touched again once the initial version got to the point where it would respond
to a packet.  So if vendors are going to bake things into firmware (which
includes firmware images that never get updated, more or less the same thing)
then I'd prefer they hold on a bit until it's certain they've got somewhat
more mature code.

Peter.

[0] Implementations of this are easier to date than SSL, and also a lot
    buggier so there's more to watch out for.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com