lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <52420.65.88.218.154.1184156651.squirrel@slashmail.org>
Date: Wed, 11 Jul 2007 08:24:11 -0400 (EDT)
From: "Steven Adair" <steven@...urityzone.org>
To: Glenn.Everhart@...se.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Humor] [archivists] National Archives
 timestamp(fwd)

Finding collisions is definitely one piece.  The other is that you can
argue about SHA-1 being the Federal standard.  Is it used more due to
widespread use in existing applications?  Yes.  However, all Federal
agencies (and people in general) should stop using it where possible. 
NIST has mandated by 2010 for most uses by Federal agencies.  I guess
we'll see how well that goes...

---
March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should stop
using SHA-1 for digital signatures, digital time stamping and other
applications that require collision resistance as soon as practical, and
must use the SHA-2 family of hash functions for these applications after
2010. After 2010, Federal agencies may use SHA-1 only for the following
applications: hash-based message authentication codes (HMACs); key
derivation functions (KDFs); and random number generators (RNGs).
Regardless of use, NIST encourages application and protocol designers to
use the SHA-2 family of hash functions for all new applications and
protocols.
---

Ref: http://csrc.nist.gov/CryptoToolkit/tkhash.html

Steven
securityzone.org

> They discover SHA256 but misunderstand somewhat. There will be cases where
> different files yield the same hash, but if the algorithm works as it
> should
> it will be infeasible to generate one given the desired hash value in any
> sufficiently simple way.
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk]On Behalf Of J.A.
> Terranson
> Sent: Wednesday, July 11, 2007 12:25 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] [Humor] [archivists] National Archives
> timestamp(fwd)
>
>
>
> The Great Unwashed Masses discover SHA-256!
>
> --
> Yours,
> J.A. Terranson
> sysadmin_at_mfn.org
> 0xBD4A95BF
>
> "The real point is that you cannot harbor malice toward others and then
> cry foul when someone displays intolerance against you. Prejudice
> tolerated is intolerance encouraged. Rise up in righteousness when you
> witness the words and deeds of hate, but only if you are willing to rise
> up against them all, including your own. Otherwise suffer the slings and
> arrows of disrespect silently."
>
> Harvey Fierstein is an actor and playwright.
>
> ---------- Forwarded message ----------
> Date: Tue, 10 Jul 2007 13:52:18 -0500
> From: Brad Jensen <brad@...tore.com>
> To: 'Bill Cribbs' <cribbswh@...oo.com>, archivists@...oogroups.com
> Subject: [archivists] National Archives timestamp
>
> For those who are not aware, there is a computational procedure
> you can do for any digital file, that creates a unique number,
> called a hash, that only matches that exact file.
>
> There is a Federal standard for one hashing algorithm, called
> SHA-1. That is a 160-biit number. More commonly used today is the
> SHA-256 hash, that generates a 256 bit number.
>
> Another term for this is 'digital thumbprint'.
>
> In the following discussion I am referring implicitly to the use
> of the SHA-256 hash.
>
> If you take a digital file 'A', and you change the order of two
> characters in the file, the hash becomes completely different.
>
> No two digital files will have the same thumbprint. You cannot
> predict what the thumbprint will be for a file.  You cannot forge
> or modify a file to match an existing thumbprint.
>
> There are digital time stamping services on the internet that
> register these 'thumbprints' to prove a particular file existed
> at a particular date and time, and it has not changed.
>
> The US Postal Service offers a time stamping service for a small
> fee that they call an 'Electronic Postmark' but it only is kept
> for seven years. They also require the user to have a digital
> certificate to establish identity of the person time stamping the
> file.
>
> I propose something simpler.
>
> I propose that the National Archives create and offer a free time
> stamping service that does not require a digital certificate. The
> purpose of this is to store and retrieve unique file identifiers
> that will establish that a file existed at a certain date and
> time, and has not changed.
>
> Then files can be archived in multiple locations across a
> distributed network, and their identity and authenticity will
> remain unquestionable.
>
> This service would be a public good, similar to the digital time
> source offered by the Navy, for example.
>
> The National Archives will keep these timestamps in perpetuity.
> They would basically be entries in a database, with a 32-byte
> thumbprint, date and time. They would be a public record, so
> anyone can look up a thumbprint and now the date and time it was
> registered.
>
> Can others see the value of this idea?
>
> I can write the basic software for this. One part would be a
> database for the National Archives with a web XML interface for
> registering and retrieving the thumbprints.
>
> It would include a feature to thumbprint each day's database
> entries, to eliminate any possibility of human interference in
> the process.  You don't have to trust anybody or even the
> institution, since the thumbprints are impossible to forge.
>
> The second thing would be a program, downloadable from a web
> page, to calculate and submit the thumbprint. I can write it in
> Windows, publish the source, and others could do the same for
> Linux, etc.
>
> What could it be used for? Scanned images, photographs, text
> documents, backup files, sound recordings, web pages, newspapers,
> anything that can be digitized.
>
> Since the only submission is the thumbprint and not the file,
> files can remain private yet still be authenticated later.
>
> And the processing load on the server is tiny.
>
> The other alternative to have someone like the National Archives
> do it, is to do it ourselves as a distributed database with
> replication across many sites and servers.
>
> I can do it myself, but this needs institutional support to last
> forever.
>
> That institution can be a formal body like the National Archives,
> or an ad hoc self-organizing one. Perhaps the latter makes sense
> in this global internet world.
>
> I think of this as the 'Forever Project' since it is the first
> thing designed to last forever.
>
> Brad Jensen
> President
> LaserVault LLC
> www.laservault.com
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> -----------------------------------------
> This transmission may contain information that is privileged,
> confidential, legally privileged, and/or exempt from disclosure
> under applicable law.  If you are not the intended recipient, you
> are hereby notified that any disclosure, copying, distribution, or
> use of the information contained herein (including any reliance
> thereon) is STRICTLY PROHIBITED.  Although this transmission and
> any attachments are believed to be free of any virus or other
> defect that might affect any computer system into which it is
> received and opened, it is the responsibility of the recipient to
> ensure that it is virus free and no responsibility is accepted by
> JPMorgan Chase & Co., its subsidiaries and affiliates, as
> applicable, for any loss or damage arising in any way from its use.
>  If you received this transmission in error, please immediately
> contact the sender and destroy the material in its entirety,
> whether in electronic or hard copy format. Thank you.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ