lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 1 Dec 2007 18:39:56 +0100
From: "James Matthews" <nytrokiss@...il.com>
To: steven@...urityzone.org
Cc: Kristian Erik Hermansen <kristian.hermansen@...il.com>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: MD5 algorithm considered toxic (and harmful)

I agree! It should be changed and i have no idea why people still use it!

On Dec 1, 2007 4:20 PM, Steven Adair <steven@...urityzone.org> wrote:

> >
> >
> > There you have it.  Surely a GPL'd tool implementing this attack style
> > will be available shortly.  And since Chinese researchers have been
> > attacking SHA-1 lately, should SHA-256 be considered the proper
> > replacement?  I am unsure :-(
>
> Yes, it would probably be a good idea.  I think this link has been put out
> on this list in the past with respect to discussion on SHA-1:
>
> http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html
>
> NIST might not be the bible to you on what to follow and implement, but
> they are definitely worth listening to (even if you're not a U.S. Federal
> agency) when they tell you not to use something anymore.  For those that
> don't want to click and just want to read, here's the relevant parts:
>
> ----
>
> March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
> SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
> applications using secure hash algorithms. Federal agencies should stop
> using SHA-1 for digital signatures, digital time stamping and other
> applications that require collision resistance as soon as practical, and
> must use the SHA-2 family of hash functions for these applications after
> 2010. After 2010, Federal agencies may use SHA-1 only for the following
> applications: hash-based message authentication codes (HMACs); key
> derivation functions (KDFs); and random number generators (RNGs).
> Regardless of use, NIST encourages application and protocol designers to
> use the SHA-2 family of hash functions for all new applications and
> protocols.
>
> ----
>
> Steven
> http://www.securityzone.org
>
> > --
> > Kristian Erik Hermansen
> > "I have no special talent. I am only passionately curious."
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://search.goldwatches.com/?Search=Movado+Watches
http://www.jewelerslounge.com
http://www.goldwatches.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ