[Cryptography] We need a new encryption algorithm competition.

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Mar 17 01:27:30 EDT 2014

Phillip Hallam-Baker <hallam at gmail.com> writes:

>Actually that was the case for TLS which required MD5 and SHA1 in the first
>incarnation. So when MD5 was found to be faulty, the switch to SHA1 was

Only MD5 as a hash, not as a MAC, was faulty.  Also, the combination used in
SSL was MD5-and-SHA1, not either-MD5-or-SHA1, or something else where you
could exploit the weakest link.  So "moving painlessly to SHA1" actually
weakened the overall mechanism rather than strenghthening it.

>Every IETF crypto protocol has specified a mandatory to implement algorithm
>to ensure a minimal level of interoperability. 

... even if they weren't necessarily sane ones, like X9.42DH + DSA for S/MIME.

>If the spec designers don't choose one cipher the market will - and we may
>not like the choice.

Yup, that's exactly what happened with S/MIME.  Luckily the standards were
adapted to match what everyone was doing anyway.


More information about the cryptography mailing list