1 |
On Sat, Nov 19, 2005 at 06:44:34AM +0000, Ciaran McCreesh wrote: |
2 |
> | First, the blatantly obvious, for the benefit of same developers, even |
3 |
> | though it's not relevant to signing. It is still a weak-point and does |
4 |
> | need to be addressed. Multiple-hashes! |
5 |
> There is no proof that multiple hashes gives you any security beyond |
6 |
> the strength of the single most secure hash algorithm. If you have two |
7 |
> signatures, one of which gives you an effective strength of 100 bits |
8 |
> and the other of which gives you an effective strength of 80 bits, the |
9 |
> overall effective strength is not 180 bits. |
10 |
I didn't claim the overall strength of combining MD5 (128 bits) and |
11 |
SHA1 (160 bits) would be directly equal, but it does still exceed the |
12 |
strength of either of them individually, by simple mathematical process. |
13 |
More importantly for the short term, multiple-hashes are needed for |
14 |
backwards compatibility - we can't ditch MD5 yet. |
15 |
|
16 |
> See, this is why you need to be careful. Some things that you'd think |
17 |
> were 'obvious' probably aren't actually true... |
18 |
The Wang (2005a) attack breaks MD5 in 2^39 operations, and Wang also |
19 |
claims being able to theoretically do SHA1 under 2^69 operations |
20 |
(2005b), full details of the SHA1 break have not been published to date |
21 |
(SHA1 is still 2^30 times harder to break than MD5 - assuming your |
22 |
machine can break MD5 in 1 hour that's still conservatively 10k+ years |
23 |
to break SHA1). |
24 |
|
25 |
Note that Sasaki et al (2005) have signifcently improved on Wang's MD5 |
26 |
attack, claiming 2^30 operations. |
27 |
|
28 |
If you consider the method of the breaks, some of the other papers have |
29 |
noted that while some of the mathematics behind the Wang attack are |
30 |
applicable across all classes of hash functions, many of them are not |
31 |
suitable across other classes of hash functions. MD5 and SHA* are |
32 |
however closely related, so they should be considered as having a |
33 |
combined strength much closer to MAX(MD5,SHA*) than SUM(MD5,SHA*). |
34 |
|
35 |
Wang et al. 2005a. How to Break MD5 and Other Hash Functions. |
36 |
http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf |
37 |
Wang et al. 2005b. Collision Search Attacks on SHA1. |
38 |
http://theory.csail.mit.edu/~yiqun/shanote.pdf |
39 |
Sasaki et al. 2005. Improved Collision Attack on MD5. |
40 |
Improved Collision Attack on MD5. |
41 |
|
42 |
For the short term, MD5+SHA1 or MD5+SHA512 allows old versions of |
43 |
portage (that only support MD5) to continue to work, while offering the |
44 |
security of SHA512 to newer versions of portage. |
45 |
|
46 |
If you really wanted to be pedantic about which hash functions were |
47 |
used together, you can go the whole hog in choosing functions of |
48 |
different classes: SHA512+HAVAL256+TIGER192+WHIRLPOOL (throw in GOST too |
49 |
if you are paranoid, it's reasonable certain that the NSA has broken |
50 |
it). |
51 |
But I think you'd get complaints that it would take too long to check |
52 |
all of the hashes. Maybe just pick two hashes of the above to go |
53 |
onwards with. I'd favour SHA512+TIGER192 as being of very different |
54 |
design, and the implementations are fast. |
55 |
|
56 |
-- |
57 |
Robin Hugh Johnson |
58 |
E-Mail : robbat2@g.o |
59 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |