[Top] [All Lists]

Re: SHA-1 broken

2005-02-17 05:53:50

Werner Koch wrote:

On Thu, 17 Feb 2005 09:36:08 +0000 (UTC), Lutz Donnerhacke said:

Don't panic. This problem is already solved by allowing different
hash-algorithms in the packet format. As long as no detailed examination of

The fingerprint and the MDC both use SHA-1 hardwired.

It would seem an easy matter to add some options
on fingerprint.  That's something that could be
added to the standard as a MAY and people can
switch across if the weaknesses in SHA1 move
across to economically exploitable status.

For the MDC, that sounds more of a challenge.  I
would suspect that the call is now on for a change to
the draft to allow alternate algorithms there!  Are
there any easy ways?  Or is this a deal breaker?

Given the rapid advance of the attack by the Shandong
team we should basically expect SHA-1 to be broken
within the year.  So, I would guess within the time
frame of completing the draft, we may have to set
it up so that it is prepared for that event.

Which would mean that all uses of SHA-1 would have
an alternate.  It doesn't necessarily mean that SHA-1
changes from MUST to SHOULD.

We should really start thinking on how to switch to a different hash
algorithm.  The question is whether sha-256 is really that much more
secure.  From my understanding it has not been developed as a
replacement for SHA-1 but to meet the requirements of AES and to
extend DSA.

I think if all attacks are still limited by the fundamental
birthday principle, SHA-256 is likely to be safe.  What is
worrying to the academic world is the fact that the
foundation of SHA-256 is as an extended SHA-1 (which
was an extended MD5, which was....) and this entire
approach is now being subjected to reduced rounds
attacks.  Note that SHA-1 in unpadded form has lost
11 of its 80 bits.  Even if SHA-256 lost 80 of 160 bits it
would still be good!

Academic elegance does not concern us here.

If SHA-256 is big-and-ugly enough to overcome all but
the most ridiculous of birthday attacks then it will serve
our purposes .... perhaps at least for the five year interim
required for the academics to come up with the next

(Quick question - how long was it from the start of the
AES competition to the announcement?  About 4 years?)


News and views on what matters in finance+crypto:

<Prev in Thread] Current Thread [Next in Thread>