[147501] in cryptography@c2.net mail archive
Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was:
daemon@ATHENA.MIT.EDU (John Kelsey)
Sat Oct 5 10:35:29 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAMm+LwjcR_7Q4ZVyNGC-g8oG-r8LcsUrdcLn+_9RN5+uphixcg@mail.gmail.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Fri, 4 Oct 2013 10:23:38 -0400
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
...
> Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no impact on the security of certificates issued using MD5 until the attack was dramatically improved and the second pre-image attack became feasible.
Just a couple nitpicks:
a. Dobbertin wasn't doing a birthday (brute force collision) attack, but rather a collision attack from a chosen IV.
b. Preimages with MD5 still are not practical. What is practical is using the very efficient modern collision attacks to do a kind of herding attack, where you commit to one hash and later get some choice about which message gives that hash.
...
> Proofs are good for getting tenure. They produce papers that are very citable.
There are certainly papers whose only practical importance is getting a smart cryptographer tenure somewhere, and many of those involve proofs. But there's also a lot of value in being able to look at a moderately complicated thing, like a hash function construction or a block cipher chaining mode, and show that the only way anything can go wrong with that construction is if some underlying cryptographic object has a flaw. Smart people have proposed chaining modes that could be broken even when used with a strong block cipher. You can hope that security proofs will keep us from doing that.
Now, sometimes the proofs are wrong, and almost always, they involve a lot of simplification of reality (like most proofs aren't going to take low-entropy RNG outputs into account). But they still seem pretty valuable to me for real-world things. Among other things, they give you a completely different way of looking at the security of a real-world thing, with different people looking over the proof and trying to attack things.
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography