[144409] in cryptography@c2.net mail archive
Re: [tahoe-dev] SHA-1 broken!
daemon@ATHENA.MIT.EDU (Christian Rechberger)
Mon May 4 17:56:51 2009
Date: Mon, 04 May 2009 00:31:03 +0200
From: Christian Rechberger <christian.rechberger@tugraz.at>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Ray Dillinger <bear@sonic.net>,
Cryptography List
<cryptography@metzdowd.com>
In-Reply-To: <8763gkxgwl.fsf@snark.cb.piermont.com>
Quoting "Perry E. Metzger" <perry@piermont.com>:
>
> Ray Dillinger <bear@sonic.net> writes:
>> I cannot derive a realistic threat model from the very general
>> statements in the slides.
>
> (BTW, you mean threat, not threat *model*, in this instance.)
>
> As just one obvious example of a realistic threat, consider that there
> are CAs that will happily sell you certificates that use SHA-1.
>
> Various clever forgery attacks have been used against certs that use
> MD5, see:
>
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Those attacks can now be extended to SHA-1 pretty easily. It might
It is in my opinion way to early to jump to this kind of conclusions:
Even if the new attack works are promised (and I have the feeling that
people are too optimistic here), there is the following issue:
* these advanced attacks against CAs do require a special type of
collision attack (the name "chosen-prefix attack" was coined), not a
"normal" collision attack we are talking about here for the case of
SHA-1. A chosen-prefix attack can be expected to be significantly
harder to perform than a "normal" attack. The link you provided should
contain a more in-depth discussion on this for the case of MD5.
Nevertheless, I agree that moving away from SHA-1 should be encouraged
(since 2005).
Best,
Christian
--
Christian Rechberger, Graz University of Technology, Austria.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
