[Cryptography] We need a new encryption algorithm competition.
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Mar 17 01:27:30 EDT 2014
Phillip Hallam-Baker <hallam at gmail.com> writes:
>Actually that was the case for TLS which required MD5 and SHA1 in the first
>incarnation. So when MD5 was found to be faulty, the switch to SHA1 was
>painless.
Only MD5 as a hash, not as a MAC, was faulty. Also, the combination used in
SSL was MD5-and-SHA1, not either-MD5-or-SHA1, or something else where you
could exploit the weakest link. So "moving painlessly to SHA1" actually
weakened the overall mechanism rather than strenghthening it.
>Every IETF crypto protocol has specified a mandatory to implement algorithm
>to ensure a minimal level of interoperability.
... even if they weren't necessarily sane ones, like X9.42DH + DSA for S/MIME.
>If the spec designers don't choose one cipher the market will - and we may
>not like the choice.
Yup, that's exactly what happened with S/MIME. Luckily the standards were
adapted to match what everyone was doing anyway.
Peter.
More information about the cryptography
mailing list