[142206] in cryptography@c2.net mail archive
RE: MD5 considered harmful today, SHA-1 considered harmful tomorrow
daemon@ATHENA.MIT.EDU (Weger, B.M.M. de)
Sun Jan 11 13:21:24 2009
From: "Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl>
To: Victor Duchovni <Victor.Duchovni@morganstanley.com>, cryptography
<cryptography@metzdowd.com>
Date: Sat, 10 Jan 2009 23:32:44 +0100
In-Reply-To: <20090110040907.GD5177@hn305c2n2.ms.com>
Hi Victor,
> Bottom line, anyone fielding a SHA-2 cert today is not going=20
> to be happy with their costly pile of bits.
Will this situation have changed by the end of 2010 (that's
next year, by the way), when everybody who takes NIST seriously=20
will have to switch to SHA-2? The first weakness shown in MD5
was not in 2004 but in 1995. Apparently it takes a very long
time before the awareness about the implications of using
weakened or broken crypto has reached a sufficient level. Though
I understand the practical issues you're talking about, Victor,
my bottom line is different.
In my view, the main lesson that the information security community,=20
and in particular its intersection with the application building=20
community, has to learn from the recent MD5 and SHA-1 history,
is that strategies for dealing with broken crypto need rethinking.
[[Maybe in the previous sentence the word "intersection" should be=20
replaced by "union".]]
Grtz,
Benne de Weger
PS: I find it ironic that the sites (such as ftp.ccc.de/congress/25c3/)=20
offering the video and audio files of the 25c3 presentation "MD5=20
considered harmful today", provide for integrity checking of those=20
files their, uhm, MD5 hashes.=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
