[144402] in cryptography@c2.net mail archive
Re: SHA-1 collisions now at 2^{52}?
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Sat May 2 13:04:28 2009
Date: Sat, 02 May 2009 09:58:39 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: ggr@qualcomm.com,
perry@piermont.com,
cryptography@metzdowd.com
In-Reply-To: <E1M0Bue-0007Rb-4v@wintermute01.cs.auckland.ac.nz>
At Sat, 02 May 2009 21:53:40 +1200,
Peter Gutmann wrote:
>
> "Perry E. Metzger" <perry@piermont.com> writes:
> >Greg Rose <ggr@qualcomm.com> writes:
> >> It already wasn't theoretical... if you know what I mean. The writing
> >> has been on the wall since Wang's attacks four years ago.
> >
> >Sure, but this should light a fire under people for things like TLS 1.2.
>
> Why?
>
> Seriously, what threat does this pose to TLS 1.1 (which uses HMAC-SHA1 and
> SHA-1/MD5 dual hashes)? Do you think the phishers will even notice this as
> they sort their multi-gigabyte databases of stolen credentials?
Again, I don't want to get into a long argument with peter about TLS 1.1 vs.
TLS 1.2, but TLS 1.2 also defines an extension that lets the client tell
the server that it would take a SHA-256 certificate. Absent that, it's
not clear how the server would know.
Of course, you could use that extension with 1.1 and maybe that's what the
market will decide...
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
