[16935] in cryptography@c2.net mail archive
Re: SHA-1 cracked
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Feb 22 11:34:17 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 17 Feb 2005 10:20:07 -0500 (GMT-05:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: Ian G <iang@systemics.com>,
"Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: cryptography@metzdowd.com
>From: Ian G <iang@systemics.com>
>Sent: Feb 16, 2005 5:33 PM
>To: "Steven M. Bellovin" <smb@cs.columbia.edu>
>Cc: cryptography@metzdowd.com
>Subject: Re: SHA-1 cracked
>Stefan Brands just posted on my blog (and I saw
>reference to this in other blogs, posted anon)
>saying that "it seems that Schneier forgot to
>mention that the paper has a footnote which
>says that the attack on full SHA-1 only works
>if some padding (which SHA-1 requires) is not
>done."
Anyone know where we could find the paper? It'd be kind-of convenient when trying to assess the impact of the attack if we knew at least a few details....
If it's really the case that the attack requires colliding messages of different sizes (that's what this comment implies), then maybe the attack won't be applicable in the real world, but it's hard to be sure of that. Suppose I can find collisions of the form (X,X*) where X is three blocks long, and X* is four blocks long. Now, that won't work as a full collision, because the length padding at the end will change for X and X*. But I can find two such collisions, and still get a working attack by concatenating them.
>iang
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
