[Geek-Crypto] New Results Against SHA-1

[furrbear]

http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf

There is not much hard information yet, but the two big quotes are "SHA-1 collisions now 2^52" and "Practical collisions are within resources of a well funded organisation."

Hmm, what to do about all the applications where SHA-1 is hardwired? There's still plenty of MD-5 out there too.

Comments

[sultmhoor.livejournal.com]

I'm glad I'm not too paranoid using sha-512 with 32 bit salts, lol.

[cipherpunk.livejournal.com]

… what to do about all the applications where SHA–1 is hardwired? There’s still plenty of MD–5 out there too.

I think the plan these people have is, with a tip o’ the hat to Sluggy, “commence simultaneous panic, on my mark…”

[backrubbear.livejournal.com]

IETF is still trying to push sha-1 into the infrastructure in reaction to the ancient "md5 is weak" news. Sounds like it'll get support about the time that it's a bit late.

The nice thing is that most of its uses can live with weak algorithms as long as key rotation is used. But as a counter to that, key rotation happens very seldom. IKE and routing protocols don't coexist very well.

[cipherpunk.livejournal.com]

The thing which stuns me most about the IETF’s push towards SHA–1 is that they are once again learning almost exactly the wrong lesson from history.

Which algorithms are used is not relevant. Algorithms have a finite life span. The existence of a migration mechanism is enormously relevant, and most protocols don’t have it.

[backrubbear.livejournal.com]

That's less of an issue that you may think. Most modern protocols tend to allow a selection field to allow crypto protocols to be applied arbitrarily. The main problem is getting the vendors to *support* them since they have to be usually implemented in hardware.