On Mon, Sep 18, 2006 at 10:33:32PM -0400, David Shaw wrote:
On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote:
The second issue is the encryption with integrity packet. Today this
is hard-wired to use SHA-1. That's not OK. We need an upgrade path
for that and I think we need to support SHA-256 now.
Does the MDC actually need collision resistance? I was under the
impression that (like the secret key "S2K 254" use of SHA-1) this was
essentially a checksum and the recent attacks against SHA-1 did not
apply.
I have just discussed this issue with my students at our cryptography
seminar. The general consensus is that MDCs do not need collision
resistance. Thus, SHA1 is secure with a huge security margin. The recent
weakening of SHA1 means that finding a pre-image takes approx 2^138
attempts, which is still comfortably beyond reach for today's and tomorrow's
technology. Introducing longer hashes would make it slower, while not
improving security. If you insist, I can provide the complete reasoning why
collision-resistance is not required for MDC.
If anything, I would consider RIPEMD128, as it is faster than SHA1 and
offers about the same level of security while being a bit shorter. But
then again, there's no reason to mess with the standard as it is.
--
Daniel
signature.asc
Description: Digital signature