[142142] in cryptography@c2.net mail archive
Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow
daemon@ATHENA.MIT.EDU (Victor Duchovni)
Sat Jan 10 12:20:35 2009
Date: Fri, 9 Jan 2009 23:09:07 -0500
From: Victor Duchovni <Victor.Duchovni@morganstanley.com>
To: cryptography <cryptography@metzdowd.com>
Mail-Followup-To: cryptography <cryptography@metzdowd.com>
In-Reply-To: <1231460627.3430.73.camel@localhost>
On Thu, Jan 08, 2009 at 06:23:47PM -0600, Dustin D. Trammell wrote:
> Nearly everything I've seen regarding the proposed solutions to this
> attack have involved migration to SHA-1. SHA-1 is scheduled to be
> decertified by NIST in 2010, and NIST has already recommended[1] moving
> away from SHA-1 to SHA-2 (256, 512, etc.). Collision attacks have
> already been demonstrated[2] against SHA-1 back in 2005, and if history
> tells us anything then things will only get worse for SHA-1 from here.
> By not moving directly to at least SHA-2 (until the winner of the NIST
> hash competition is known), these vendors are likely setting themselves
> up for similar attacks in the (relatively) near future.
All fine and good, but no existing OpenSSL release (including
0.9.9-dev) will by default inter-operate with the resulting (SHA2)
certificates. The SSL_library_init() call only initializes "ssl"
ciphers and digests, which do not include SHA-2. So most SSL
applications won't be able to verify the certificate signatures.
One needs to call OpenSSL_add_all_algorithms() before SHA-2
signed certificates work.
Bottom line, anyone fielding a SHA-2 cert today is not going to be happy
with their costly pile of bits.
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
