| 1 |
On Fri, 20 Oct 2017 11:23:06 +0200 |
| 2 |
Ulrich Mueller <ulm@g.o> wrote: |
| 3 |
|
| 4 |
> >>>>> On Fri, 20 Oct 2017, Dirkjan Ochtman wrote: |
| 5 |
> |
| 6 |
> > As Hanno was saying, we'll have decades of warning before a break |
| 7 |
> > becomes practical, so I don't think this is a real concern. |
| 8 |
> |
| 9 |
> How can we be sure of that? I guess the same reasoning was applied |
| 10 |
> when MD5 and SHA1 hashes were used. |
| 11 |
|
| 12 |
MD5 warning 1996: |
| 13 |
ftp://ftp.iks-jena.de/mitarb/lutz/crypt/hash/dobbertin.ps |
| 14 |
|
| 15 |
MD5 broken 2005: |
| 16 |
http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf |
| 17 |
|
| 18 |
SHA1 warning 2005: |
| 19 |
https://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf |
| 20 |
|
| 21 |
SHA1 broken 2017: |
| 22 |
https://shattered.io/ |
| 23 |
|
| 24 |
|
| 25 |
It's reasonable to assume that modern hash functions will have a far |
| 26 |
longer warning period. For two reasons: |
| 27 |
* their safety margin is much higher to begin with, particularly if |
| 28 |
you choose something like SHA512 (256 bit collission resistance). It |
| 29 |
was more or less always clear that MD5 (64 bit) and SHA1 (80 bit) are |
| 30 |
in risky terrain even without any cryptographic breakthrough. |
| 31 |
* hash function research in 2017 is lightyears ahead of hash function |
| 32 |
research in the 90s and early 2000s. One major outcome of the |
| 33 |
research after the big hash breakdown in 2005 was that SHA-2 is much |
| 34 |
safer than people previously thought. |
| 35 |
|
| 36 |
|
| 37 |
I don' have a very strong opinion on this. Having two hash functions |
| 38 |
probably won't harm. Though I tend to prefer the simplest solutions if |
| 39 |
it's secure. And all my cryptographic knowledge tells me that "What if |
| 40 |
sha512 is broken?" isn't a realistic problem to be concerned about. |
| 41 |
|
| 42 |
|
| 43 |
I do feel it's a bit ironic that we have these lengthy discussions |
| 44 |
about hash functions while at the same time they provide little |
| 45 |
security to begin with, because they aren't transmitted over a secure |
| 46 |
channel and not signed... |
| 47 |
|
| 48 |
-- |
| 49 |
Hanno Böck |
| 50 |
https://hboeck.de/ |
| 51 |
|
| 52 |
mail/jabber: hanno@××××××.de |
| 53 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |
Archives