[110341] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Jan 3 10:49:14 2009
Date: Sat, 3 Jan 2009 10:49:04 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: William Warren <hescominsoon@emmanuelcomputerconsulting.com>
In-Reply-To: <495F779A.9000905@emmanuelcomputerconsulting.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sat, 03 Jan 2009 09:35:06 -0500
William Warren <hescominsoon@emmanuelcomputerconsulting.com> wrote:
> Everyone seems to be stampeding to SHA-1..yet it was broken in 2005.
> So we trade MD5 for SHA-1? This makes no sense.
>
(a) SHA-1 was not broken as badly. The best attack is, as I recall,
2^63, which is computationally infeasible without special-purpose
hardware.
(b) Per a paper Eric Rescorla and I wrote, there's no usable
alternative, since too many protocols (including TLS) don't negotiate
hash functions before presenting certificates. In particular, this
means that a web site can't use SHA-256 because (1) most clients won't
support it; and (2) it can't tell which ones do. (Note that this
argument applies just as much to combinations of hash functions --
anything that *the large majority of today's* browsers don't implement
isn't usable.)
These two points lead us to (c): security is a matter of economics, not
algorithms. Switching now to something else loses more in connectivity
or customers than you would lose from such an expensive attack.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
