| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Feb 2005 21:58:35 -0800 From: Michael Silk <michaelsilk@...il.com> To: Anatole Shaw <shaw_bugtraq20050218@...oloop.com> Cc: bugtraq@...urityfocus.com Subject: Re: SHA-1 broken I agree that an anaylsis of their results is nice and important, but also I don't think that it will neccessarily lead to a new "perfect" hashing function we can implement and forget about. A nicer idea is to implement better code that allows us to modify our internal hashing algorithms whenever we like, so that if (and when?) new hashing strategies are broken (even by virtue of faster computing power) we can adapt easily. At least, this is the approach I'll be taking to the problem. -- Michael On Sat, 19 Feb 2005 00:42:56 -0500, Anatole Shaw <shaw_bugtraq20050218@...oloop.com> wrote: > Sadly, there is no magic bullet for the SHA-1 problem. Let me say, in > classic Bugtraq style, that I believe the "temporary workaround for this > vulnerability" is to move to SHA-512 as quickly as possible. > > NIST was going to recommend SHA-256 and SHA-512 by 2010, but for the > security-conscious the time is now. > > The "computer security response" should not be to re-jigger the hashes, > bet on crypto tricks that haven't seen any review, and guess at the > computational complexity of the result. > > The only fix will be informed analysis of the new paper from the Chinese > team (which hasn't even been released yet) and the informed development > of a solid cryptographic response. > > Anatole
Powered by blists - more mailing lists