ietf-openpgp
[Top] [All Lists]

Re: NIST publishes new DSA draft

2006-03-15 02:54:11


James Couzens writes:
I had thought it a bit strange that someone writing so comprehensively
about something related to digital signatures and to then make the
statement as you did at the end of the paragraph I quoted.  Did you have
some other intended meaning, such as broken by draft explicit
prohibition or otherwise declared deprecated in a future draft?

Yes, sorry, my language was not as precise as it might have been.
I said we should be ready in case SHA-1 were broken, but as you note
it has been officially "broken" for over a year.  However that is just
a theoretical break and no actual examples of SHA-1 message collisions
have yet been published.  So at this point SHA-1 is in a bit of a limbo
state, theoretically broken but still in widespread use.


The problem lies in the use of the term "broken"
which sounds great in the popular press, but is
insufficiently precise for serious forums and
serious protocol work.  A more appropriate term is
that SHA1 is weakened - from 80 bits to 69 bits -
for some uses.

Analysis in this forum in the past has indicated
that - approximately - SHA1 is still good, but we
should move over as and when we can select good
alternatives.  NIST's new DSA announcement I think
makes the case that SHA256 is going to be around a
lot longer than some of us earlier speculated, so
that looks like the target for now.

If the attack should get worse so that SHA-1 collisions could be found
in a practical amount of time, then we would have a much more urgent
need to switch to another hash.  That is what I really meant when I
said we should be ready if SHA-1 should be broken.

Yes, it's a concern.  FTR, I agree with Hal that
we should seriously consider taking the draft out
of last call (dammit!) ... hopefully it won't take
too long to get enough consensus and some rough
working code?

iang