| 1 |
On Sat, Nov 19, 2005 at 06:44:34AM +0000, Ciaran McCreesh wrote: |
| 2 |
> | First, the blatantly obvious, for the benefit of same developers, even |
| 3 |
> | though it's not relevant to signing. It is still a weak-point and does |
| 4 |
> | need to be addressed. Multiple-hashes! |
| 5 |
> There is no proof that multiple hashes gives you any security beyond |
| 6 |
> the strength of the single most secure hash algorithm. If you have two |
| 7 |
> signatures, one of which gives you an effective strength of 100 bits |
| 8 |
> and the other of which gives you an effective strength of 80 bits, the |
| 9 |
> overall effective strength is not 180 bits. |
| 10 |
I didn't claim the overall strength of combining MD5 (128 bits) and |
| 11 |
SHA1 (160 bits) would be directly equal, but it does still exceed the |
| 12 |
strength of either of them individually, by simple mathematical process. |
| 13 |
More importantly for the short term, multiple-hashes are needed for |
| 14 |
backwards compatibility - we can't ditch MD5 yet. |
| 15 |
|
| 16 |
> See, this is why you need to be careful. Some things that you'd think |
| 17 |
> were 'obvious' probably aren't actually true... |
| 18 |
The Wang (2005a) attack breaks MD5 in 2^39 operations, and Wang also |
| 19 |
claims being able to theoretically do SHA1 under 2^69 operations |
| 20 |
(2005b), full details of the SHA1 break have not been published to date |
| 21 |
(SHA1 is still 2^30 times harder to break than MD5 - assuming your |
| 22 |
machine can break MD5 in 1 hour that's still conservatively 10k+ years |
| 23 |
to break SHA1). |
| 24 |
|
| 25 |
Note that Sasaki et al (2005) have signifcently improved on Wang's MD5 |
| 26 |
attack, claiming 2^30 operations. |
| 27 |
|
| 28 |
If you consider the method of the breaks, some of the other papers have |
| 29 |
noted that while some of the mathematics behind the Wang attack are |
| 30 |
applicable across all classes of hash functions, many of them are not |
| 31 |
suitable across other classes of hash functions. MD5 and SHA* are |
| 32 |
however closely related, so they should be considered as having a |
| 33 |
combined strength much closer to MAX(MD5,SHA*) than SUM(MD5,SHA*). |
| 34 |
|
| 35 |
Wang et al. 2005a. How to Break MD5 and Other Hash Functions. |
| 36 |
http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf |
| 37 |
Wang et al. 2005b. Collision Search Attacks on SHA1. |
| 38 |
http://theory.csail.mit.edu/~yiqun/shanote.pdf |
| 39 |
Sasaki et al. 2005. Improved Collision Attack on MD5. |
| 40 |
Improved Collision Attack on MD5. |
| 41 |
|
| 42 |
For the short term, MD5+SHA1 or MD5+SHA512 allows old versions of |
| 43 |
portage (that only support MD5) to continue to work, while offering the |
| 44 |
security of SHA512 to newer versions of portage. |
| 45 |
|
| 46 |
If you really wanted to be pedantic about which hash functions were |
| 47 |
used together, you can go the whole hog in choosing functions of |
| 48 |
different classes: SHA512+HAVAL256+TIGER192+WHIRLPOOL (throw in GOST too |
| 49 |
if you are paranoid, it's reasonable certain that the NSA has broken |
| 50 |
it). |
| 51 |
But I think you'd get complaints that it would take too long to check |
| 52 |
all of the hashes. Maybe just pick two hashes of the above to go |
| 53 |
onwards with. I'd favour SHA512+TIGER192 as being of very different |
| 54 |
design, and the implementations are fast. |
| 55 |
|
| 56 |
-- |
| 57 |
Robin Hugh Johnson |
| 58 |
E-Mail : robbat2@g.o |
| 59 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives