lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 Feb 2005 18:22:31 -0800
From: Dan Harkless <bugtraq@...kless.org>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: SHA-1 broken



On February 17, 2005, Michael Cordover <michael.cordover@...il.com> wrote:
> On Wed, 16 Feb 2005 14:56:27 +0200, Gadi Evron <gadi@...ila.gov.il> wrote:
> > 
> > Where do we go from here?
> 
> The standard response to "where to now" seems to be Whirlpool
> [http://planeta.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html].
>  That or Tiger [http://www.cs.technion.ac.il/~biham/Reports/Tiger/].

There has indeed been a lot of positive buzz about Whirlpool.  I have seen
comments, though, that Whirlpool is quite slow, but that Tiger is pretty
reasonable on 64-bit CPUs.

No doubt we'll see more analyses of these as the old standbys start to look
more and more shaky.

> The team which has cracked SHA1 is the same that cracked MD5 and
> exposed weaknesses in the RIPEMD model.  They're good.  And they've
> shown that what I would've thought to be the Next Best Thing - RIPEMD

Yeah, for instance RIPEMD-160 is the only other message digest algorithm
currently implemented in the OpenSSL library that would be worth using
(other than perhaps MDC2, which I haven't seen much discussion of -- it's
apparently a method of constructing a 128-bit output hash function out of a
block cipher -- the OpenSSL implementation uses DES).

> - is yet another flawed system.

The original RIPEMD is indeed flawed, as shown by Hans Dobbertin in '95 for
a reduced-round version and by the Chinese team for the full-round version.
However, I have not seen analysis saying that this weakness also applies to
RIPEMD-128 / RIPEMD-160 / RIPEMD-256 / RIPEMD-320
(<http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html>), the
strengthened versions which were co-developed by Dobbertin in '96, partially
in response to the weakness that he found.

Pages like The Hashing Function Lounge
(<http://planeta.terra.com.br/informatica/paulobarreto/hflounge.html>) agree
with this separation of RIPEMD vs. the RIPEMD-160 family.

-- 
Dan Harkless
http://harkless.org/dan/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ