[Cryptography] Which big-name ciphers have been broken in living memory?
Phillip Hallam-Baker
phill at hallambaker.com
Tue Aug 19 11:00:03 EDT 2014
Responding to multiple threads,
SHA1 broken? Nope, it has been deprecated because the security is less
than the security advertised. But it has not yet been broken in the
sense of someone has created a collision. And Bruce is suggesting 2021
as the time for that:
https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
There are plenty of ciphers that have turned out to be dodgy in that
way. IDEA for example. But MD5, SHA1, RC4 and IDEA are the only ones
that turned out to be seriously weaker than the design intent.
Now fortunately SHA1 being weakened is not really a big deal because
we have SHA2 already deployed in most browsers. And breaking SHA1 only
makes future traffic vulnerable, not previous conversations.
And even though SHA1 is weaker than expected, it is hard to see how a
collision attack compromises it for most of the situations in which it
is used since TLS and PKIX don't really rely on collision avoidance.
If an attack involves a trusted party that is not trustworthy then it
is probably a deminimis concern.
RSA2048 is really not a problem. It is RSA4096 that gives people the
real concern. The keys are huge but we are well over the knee in the
work factor graph and those extra key bits are doing almost nothing
for us. Hence the interest in ECC.
I agree with Victor that fallback algorithms should be upgrades, not
mere precautions. And I would like to see us move to a point where
every IETF protocol has exactly one mandatory to implement algorithm
suite, exactly one set of alternative algorithms in case there is a
need to transition and a set of acceptable algorithms that are
previous mandatory algorithms for purposes of interop.
Other than that, I would like the IETF out of the algorithm anointing
business altogether. Because once you start giving a code point for
CAST you have set yourself to give one to GOST and then you are in for
two dozen sets of national labs vanity crypto. Set the protocol up so
that other algorithms can be used, definitely. Create a registry where
anyone can get a code point for their algorithm, sure. But make sure
that there is no implication that anyone is sanity checking the
submissions because they are not and they can't check each one
anywhere near thoroughly enough.
More information about the cryptography
mailing list