1 |
On Fri, 20 Oct 2017 11:23:06 +0200 |
2 |
Ulrich Mueller <ulm@g.o> wrote: |
3 |
|
4 |
> >>>>> On Fri, 20 Oct 2017, Dirkjan Ochtman wrote: |
5 |
> |
6 |
> > As Hanno was saying, we'll have decades of warning before a break |
7 |
> > becomes practical, so I don't think this is a real concern. |
8 |
> |
9 |
> How can we be sure of that? I guess the same reasoning was applied |
10 |
> when MD5 and SHA1 hashes were used. |
11 |
|
12 |
MD5 warning 1996: |
13 |
ftp://ftp.iks-jena.de/mitarb/lutz/crypt/hash/dobbertin.ps |
14 |
|
15 |
MD5 broken 2005: |
16 |
http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf |
17 |
|
18 |
SHA1 warning 2005: |
19 |
https://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf |
20 |
|
21 |
SHA1 broken 2017: |
22 |
https://shattered.io/ |
23 |
|
24 |
|
25 |
It's reasonable to assume that modern hash functions will have a far |
26 |
longer warning period. For two reasons: |
27 |
* their safety margin is much higher to begin with, particularly if |
28 |
you choose something like SHA512 (256 bit collission resistance). It |
29 |
was more or less always clear that MD5 (64 bit) and SHA1 (80 bit) are |
30 |
in risky terrain even without any cryptographic breakthrough. |
31 |
* hash function research in 2017 is lightyears ahead of hash function |
32 |
research in the 90s and early 2000s. One major outcome of the |
33 |
research after the big hash breakdown in 2005 was that SHA-2 is much |
34 |
safer than people previously thought. |
35 |
|
36 |
|
37 |
I don' have a very strong opinion on this. Having two hash functions |
38 |
probably won't harm. Though I tend to prefer the simplest solutions if |
39 |
it's secure. And all my cryptographic knowledge tells me that "What if |
40 |
sha512 is broken?" isn't a realistic problem to be concerned about. |
41 |
|
42 |
|
43 |
I do feel it's a bit ironic that we have these lengthy discussions |
44 |
about hash functions while at the same time they provide little |
45 |
security to begin with, because they aren't transmitted over a secure |
46 |
channel and not signed... |
47 |
|
48 |
-- |
49 |
Hanno Böck |
50 |
https://hboeck.de/ |
51 |
|
52 |
mail/jabber: hanno@××××××.de |
53 |
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 |