[18672] in cryptography@c2.net mail archive
Re: [saag] status of SSL vs SHA-1/MD-5, etc.?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Oct 16 10:41:02 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Alex Alten <alex@alten.org>
Cc: cryptography@metzdowd.com, saag@mit.edu, cfrg@ietf.org
In-Reply-To: Your message of "Sun, 16 Oct 2005 00:00:40 PDT."
<4.3.2.7.1.20051015234218.0525d718@mail.alten.org>
Date: Sun, 16 Oct 2005 09:46:12 -0400
In message <4.3.2.7.1.20051015234218.0525d718@mail.alten.org>, Alex Alten write
s:
>Everyone,
>
>So where do we stand with secure networking protocols vs SHA-1/MD-5?
>
>Is SSL at risk? Is TLS OK (because of HMAC)?
>
>SSH, IPSec, etc?
>
The major risk that I know of is for signed objects, which generally
means signed email, i.e., S/MIME and PGP. MD5 absolutely should not be
used for email, period. The current attack on SHA-1 is probably
infeasible for most attackers; that said, it would be better to have
something stronger. We'll know more about that in two weeks, after
NIST's Hash Function Workshop. As I mentioned on the cryptography list
-- did you really have to post your query to all three lists? -- a few
days ago, NSA rated SHA-384 as suitable for Top Secret traffic, though
I'll note that the authenticity of a message rarely has the long-term
need for security as does confidentiality.
As Eric Rescorla and I showed, though, none of the network protocols
are ready for deployment of a new hash function. That is, newer
versions of OpenSSL support may SHA-256, but there's no way to
negotiate such usage if you don't know the status of the system to
which you're talking.
My own estimate is that it will take 4-8 years before everything just
works: 1 year for the IETF to standardize negotiation mechanisms, 1-2
years for design, code, and test by vendors, and 2-5 years for
deployment by the user community -- note that most machines are *never*
upgrade, only replaced.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
