[142591] in cryptography@c2.net mail archive
Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Jan 17 14:35:05 2009
Date: Sat, 17 Jan 2009 11:24:08 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Cc: b.m.m.d.weger@TUE.nl, cryptography@metzdowd.com,
Victor.Duchovni@morganstanley.com
In-Reply-To: <E1LMD6y-0007Fr-PT@wintermute01.cs.auckland.ac.nz>
On Mon, 12 Jan 2009 16:05:08 +1300
pgut001@cs.auckland.ac.nz (Peter Gutmann) wrote:
> "Weger, B.M.M. de" <b.m.m.d.weger@TUE.nl> writes:
>
> >> Bottom line, anyone fielding a SHA-2 cert today is not going=20
> >> to be happy with their costly pile of bits.
> >
> >Will this situation have changed by the end of 2010 (that's next
> >year, by the way), when everybody who takes NIST seriously will have
> >to switch to SHA-2?
>
> I have a general outline of a timeline for adoption of new crypto
> mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically
> algorithms) in my Crypto Gardening Guide and Planting Tips,
> http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt, see
> "Question J" about 2/3 of the way down. It's not meant to be
> definitively accurate for all cases but was created as a rough
> guideline for people proposing to introduce new crypto mechanisms to
> give an idea of how long they should expect to wait to see them
> adopted.
>
My analysis is similar to Peter's: 2-3 years for an RFC, 2-3 years for
design/code/test, 2 years average delay for the next major release of
Windows which will include it, 5 years for most of the older machines to
die off.
I've mentioned it before, but I'll point to the paper Eric Rescorla
wrote a few years ago:
http://www.cs.columbia.edu/~smb/papers/new-hash.ps or
http://www.cs.columbia.edu/~smb/papers/new-hash.pdf . The bottom line:
if you're running a public-facing web server, you *can't* offer a SHA-2
certificate because you have no way of knowing if the client supports
SHA-2. Fixing that requires a TLS fix; see the above timeline for that.
--
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
