On 20 Feb 2006, at 1:34 PM, Hallam-Baker, Phillip wrote:
Actually I think it is very clear what we will be using in 5 years
time,
either what we are using today or the NSA suite B with the possible
replacement of the hash algorithm.
I think it will take longer than five years, but it's still coming.
A better question would be 'do we know how to manage the trasition
from
one algortihm to another'. That is what has never been effectively
acomplished in the field to date.
On the contrary, it's been done a number of times. The OpenPGP world
migrated away from MD5 in '97-99. It migrated away from RSA, and then
back to it. It's doing just fine now migrating away from SHA-1. It's
just a matter of having the right hooks in there. There are plenty of
other places where you're right and the places where it has been
badly handled outnumber the ones where it has been done well. But
that's not 'never.'
This is a software engineering issue, not a crypto issue.
In other words, you think it appropriate to *require* that
all signers *always*
use SHA-256?
This would mean, for example, that support for the next,
preferred algorithm,
would require revising and re-issuing the specification.
This is actually a problem across all the IETF security specs and
across
all the standards organizations. What we really need is a WG that
describes how to deploy a replacement crypto set across the board.
Having discussed this issue with the cryptographers the clear
consensus
there is that the announced weaknesses in SHA-1 almost certainly
affect
SHA-256 and that we should be looking for hash functions designed on
different principles rather than promoting SHA-256 as a cure.
Even with the known compromise SHA-1 is considerably stronger than the
RSA keys we are expecting to use. Break the hash and you may be
able to
fake one bit in one document. Factoring the RSA key is less work and
allows you to sign any document you like.
It is not rational to be obsessing about SHA256 when we have bigger
problems with RSA. If it was not for the patent issues I would push
for
ECC as per suite B.
I think 3k-4k RSA will be with us for a long, long time. But I do
agree with the basic premise, that patent issues are a stumbling
block to suite B. Fortunately, I don't think we'll *need* suite B
until those are not issues.
I would not object at all to just biting the bullet and saying we're
going to use SHA-256 now. But on the other hand, dealing with both
SHA-1 and SHA-256 now will force the software engineering flexibility
in place, and that will be good when the hash we want to use is
finally invented.
Jon
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html