Dailydave mailing list archives

Re: SHA-2

From: Rodney Thayer <rodney () canola-jones com>
Date: Mon, 16 Aug 2004 21:43:26 -0700

At 10:52 PM 8/16/2004 -0400, dave wrote:

MD5 broken and SHA-1 about to fall? Are there any math PH.D's in the house who'd like to bring this into context, and 
perhaps provide some analysis of the magic bean that made it all happen?

http://slashdot.org/article.pl?sid=04/08/17/0030243&tid=93&tid=162&tid=1&tid=218


I'm not a cryptographer and I don't play one on the Internet.
But I was around when the Dobbertin attacks against MD-5 came out,
and we had to think about this during the process of standardizing
IPSEC, and TLS, and OpenPGP.  Back before I was known as a
non-lurker on Dailydave [1], I was a simple crypto plumber.

So cryptographers basically make up work for themselves by
building half-assed variants of working algorithms, and then
breaking those.  Some of the time this is technically brilliant,
and mostly it's make-work for the grad students.  Breaking a limited-round
MD-5 doesn't necessarily relate to full MD-5, or SHA-0, or SHA-1.

In this case the tealeaf readers are starting to claim that real
live full-scale working SHA-1 might be found to have collisions,
which Would Be Bad (think every crypto protocol fielded today is
suddenly attackable, via the crypto.)

Now there are other hash algorithms out there.  I don't know if SHA-256
or SHA-512 are really just super-sized SHA-1, but I think that's
the basic idea, so we're now hearing about new improved obscure
hashes, like Whirlpool.  This sounds good, until you remember that
back when we were told SHA-1 *might* be unsafe because it was sort
of structurally related to MD-5, we were told to check out Tiger.
I can't tell where Tiger disappeared to.  You'll find references
to Tiger in early IPsec and early OpenPGP stuff.

The real problem is that the combination of the crypto community
and the IETF has caused the standards we field today to be hard
to change.  For example, I think it might be tough to crank
a new ciphersuite through the IETF to fix TLS if in fact all
the SHA's and all the MD-5's are broken.  This in turn means
that Microsoft (i.e. schannel.dll) or OpenSSL will have to
invent something on their own.

Also, remember it's the week of the Crypto conference in Santa
Barbera, and, just like we have vulnerability storms, er, announcements
around the time of BlackHat and Defcon, we have crypto storms,
er, rumors, er, announcements around the time of Crypto.

[1] I'm standing in the hallway at Black Hat, being introduced
to a fellow trainer.  I say my name, he responds by telling
me my email address.  I think real hard and don't remember ever
giving him a business card.  I look puzzled, and he explains
"I know you, you post on The Daily Dave".

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

SHA-2 dave (Aug 16)
- Re: SHA-2 Rodney Thayer (Aug 16)
  - Re: SHA-2 Mordy Ovits (Aug 17)
    - Re: SHA-2 Rodney Thayer (Aug 17)
- Re: SHA-2 Halvar Flake (Aug 17)