| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Dec 2007 18:51:47 +0100 From: Enno Rey <erey@...w.de> To: full-disclosure@...ts.grok.org.uk Subject: Re: MD5 algorithm considered toxic (and harmful) because they perform risk-analysis: - what are the threats to my assets? - which role does MD5 play there? - any subsequent risk then from using it? - high priority risk? mitigating controls or risk acceptance? would you be so kind to show me a real-world attack against a VPN using MD5 hashing? ... thanks, Enno On Sat, Dec 01, 2007 at 06:39:56PM +0100, James Matthews wrote: > I agree! It should be changed and i have no idea why people still use it! > > On Dec 1, 2007 4:20 PM, Steven Adair <steven@...urityzone.org> wrote: > > > > > > > > > > There you have it. Surely a GPL'd tool implementing this attack style > > > will be available shortly. And since Chinese researchers have been > > > attacking SHA-1 lately, should SHA-256 be considered the proper > > > replacement? I am unsure :-( > > > > Yes, it would probably be a good idea. I think this link has been put out > > on this list in the past with respect to discussion on SHA-1: > > > > http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html > > > > NIST might not be the bible to you on what to follow and implement, but > > they are definitely worth listening to (even if you're not a U.S. Federal > > agency) when they tell you not to use something anymore. For those that > > don't want to click and just want to read, here's the relevant parts: > > > > ---- > > > > March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, > > SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all > > applications using secure hash algorithms. Federal agencies should stop > > using SHA-1 for digital signatures, digital time stamping and other > > applications that require collision resistance as soon as practical, and > > must use the SHA-2 family of hash functions for these applications after > > 2010. After 2010, Federal agencies may use SHA-1 only for the following > > applications: hash-based message authentication codes (HMACs); key > > derivation functions (KDFs); and random number generators (RNGs). > > Regardless of use, NIST encourages application and protocol designers to > > use the SHA-2 family of hash functions for all new applications and > > protocols. > > > > ---- > > > > Steven > > http://www.securityzone.org > > > > > -- > > > Kristian Erik Hermansen > > > "I have no special talent. I am only passionately curious." > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > http://search.goldwatches.com/?Search=Movado+Watches > http://www.jewelerslounge.com > http://www.goldwatches.com > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists