lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b841ffed050218215862d87805@mail.gmail.com>
Date: Fri, 18 Feb 2005 21:58:35 -0800
From: Michael Silk <michaelsilk@...il.com>
To: Anatole Shaw <shaw_bugtraq20050218@...oloop.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: SHA-1 broken


I agree that an anaylsis of their results is nice and important, but
also I don't think that it will neccessarily lead to a new "perfect"
hashing function we can implement and forget about.

A nicer idea is to implement better code that allows us to modify our
internal hashing algorithms whenever we like, so that if (and when?)
new hashing strategies are broken (even by virtue of faster computing
power) we can adapt easily.

At least, this is the approach I'll be taking to the problem.

-- Michael


On Sat, 19 Feb 2005 00:42:56 -0500, Anatole Shaw
<shaw_bugtraq20050218@...oloop.com> wrote:
> Sadly, there is no magic bullet for the SHA-1 problem.  Let me say, in
> classic Bugtraq style, that I believe the "temporary workaround for this
> vulnerability" is to move to SHA-512 as quickly as possible.
> 
> NIST was going to recommend SHA-256 and SHA-512 by 2010, but for the
> security-conscious the time is now.
> 
> The "computer security response" should not be to re-jigger the hashes,
> bet on crypto tricks that haven't seen any review, and guess at the
> computational complexity of the result.
> 
> The only fix will be informed analysis of the new paper from the Chinese
> team (which hasn't even been released yet) and the informed development
> of a solid cryptographic response.
> 
> Anatole


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ