[142206] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

RE: MD5 considered harmful today, SHA-1 considered harmful tomorrow

daemon@ATHENA.MIT.EDU (Weger, B.M.M. de)
Sun Jan 11 13:21:24 2009

From: "Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl>
To: Victor Duchovni <Victor.Duchovni@morganstanley.com>, cryptography
Date: Sat, 10 Jan 2009 23:32:44 +0100
In-Reply-To: <20090110040907.GD5177@hn305c2n2.ms.com>

Hi Victor,

> Bottom line, anyone fielding a SHA-2 cert today is not going=20
> to be happy with their costly pile of bits.

Will this situation have changed by the end of 2010 (that's
next year, by the way), when everybody who takes NIST seriously=20
will have to switch to SHA-2? The first weakness shown in MD5
was not in 2004 but in 1995. Apparently it takes a very long
time before the awareness about the implications of using
weakened or broken crypto has reached a sufficient level. Though
I understand the practical issues you're talking about, Victor,
my bottom line is different.

In my view, the main lesson that the information security community,=20
and in particular its intersection with the application building=20
community, has to learn from the recent MD5 and SHA-1 history,
is that strategies for dealing with broken crypto need rethinking.

[[Maybe in the previous sentence the word "intersection" should be=20
replaced by "union".]]

Benne de Weger

PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/)=20
offering the video and audio files of the 25c3 presentation "MD5=20
considered harmful today", provide for integrity checking of those=20
files their, uhm, MD5 hashes.=

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post