[144410] in cryptography@c2.net mail archive
Re: [tahoe-dev] SHA-1 broken!
daemon@ATHENA.MIT.EDU (Christian Rechberger)
Mon May 4 17:57:52 2009
Date: Mon, 04 May 2009 00:35:03 +0200
From: Christian Rechberger <christian.rechberger@tugraz.at>
To: Sandy Harris <sandyinchina@gmail.com>
Cc: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <c5528eee0905030459r24dfcb1cw55693498328148a6@mail.gmail.com>
> On Sat, May 2, 2009 at 12:33 PM, Perry E. Metzger <perry@piermont.com> wrote:
>
>> As just one obvious example of a realistic threat, consider that there
>> are CAs that will happily sell you certificates that use SHA-1.
>>
>> Various clever forgery attacks have been used against certs that use
>> MD5, see:
>>
>> http://www.win.tue.nl/hashclash/rogue-ca/
>>
>> Those attacks can now be extended to SHA-1 pretty easily. It might
>> require a bit of compute infrastructure -- say a lot of FPGAs and a
>> bunch of cleverness -- to turn out certs quickly, but it can be
>> done. Given that there are lots of high value certs out there of this
>> form, this is rather dangerous.
>
> Off-the-shelf FPGA-based device that breaks DES by brute force in
> about a week, costs 9,000 euros: http://www.copacobana.org/
> These are commercially available and programmable. Setting a
> few of them up to break SHA-1 certainly would not be trivial,
> but it looks feasible.
The design of DES facilitates this kind of throughput/cost gains on FPGAs.
Remember that the MD4 family (incl. SHA-1) was designed to be
efficient on 32-bit CPUs. For these hash functions, it is much harder
to get a throughput/cost gain on FPGAs compared to off-the-shelf CPUs.
At least, this was my conclusion when I quickly looked into this a few
years ago.
Best,
Christian
--
Christian Rechberger, Graz University of Technology, Austria
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
