Re: [Cfrg] [Fwd: I-D ACTION:draft-turner-sha0-sha1-seccon-00.txt]
Simon Josefsson <simon@josefsson.org> Mon, 04 October 2010 09:02 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC8EB3A6F6C; Mon, 4 Oct 2010 02:02:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.665
X-Spam-Level:
X-Spam-Status: No, score=-102.665 tagged_above=-999 required=5 tests=[AWL=-0.066, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xS8jjc2aTVU9; Mon, 4 Oct 2010 02:02:09 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id BC0183A6F56; Mon, 4 Oct 2010 02:02:08 -0700 (PDT)
Received: from mocca (c80-216-27-64.bredband.comhem.se [80.216.27.64]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o9492vwJ018716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 4 Oct 2010 11:02:59 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4CA65AD7.80300@ieca.com> <p06240808c8cd060efcb4@[10.20.30.158]>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:101004:cfrg@irtf.org::M9gO9Ed2UAfpEUGI:CFF+
X-Hashcash: 1:22:101004:paul.hoffman@vpnc.org::oQYW1l5ytAav2xuw:8hSf
X-Hashcash: 1:22:101004:saag@ietf.org::YR0OBXhmrQLaG2Yr:XWUy
Date: Mon, 04 Oct 2010 11:02:55 +0200
In-Reply-To: <p06240808c8cd060efcb4@[10.20.30.158]> (Paul Hoffman's message of "Sat\, 2 Oct 2010 09\:25\:25 -0700")
Message-ID: <87k4lytjnk.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: clamav-milter 0.96.3 at yxa-v
X-Virus-Status: Clean
Cc: cfrg@irtf.org, saag@ietf.org
Subject: Re: [Cfrg] [Fwd: I-D ACTION:draft-turner-sha0-sha1-seccon-00.txt]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2010 09:02:10 -0000
Paul Hoffman <paul.hoffman@vpnc.org> writes: > If the authors really did mean to give useful guidance, I propose the > following replacement for this section: Re-reading the original text and Paul's proposed text below, I strongly prefer the latter one. The situation is not as simple as the original text implies, and this needs to be conveyed by the document somehow. Avoiding RFC 2119 language, which doesn't make sense for an Informational document anyway, is a good way to achieve this. /Simon > ===== > SHA-1 provides less collision resistance than was originally > expected, and collision resistance has been shown to affect some (but > not all) applications that use digital signatures. Even if SHA-1's > collision resistance was as good as was expected, SHA-256's collision > resistance and resistance to finding pre-images are much higher by > design. > > Because of this, designers of IETF protocols should put a strong > preference for signature algorithms with SHA-256 in their protocols. > The typical way to give such a preference is to make the algorithm > that uses SHA-256 mandatory, while the algorithm using SHA-1 being > optional. Of course, SHA-0 should continue to not be used in any IETF > protocol. > > Nearly all IETF protocols that use signatures assume existing public > key infrastructures, and SHA-1 is still used in signatures nearly > everywhere. Therefore, it is unwise to prohibit the use of SHA-1 in > signature algorithms. However, it is certainly useful to point out in > the security considerations for those protocols that SHA-1 is not as > strong as SHA-256. > > A protocol designer might want to consider the use of SHA-1 with > randomized hashing such as is specified in [SP800-107]. However, such > use will still not be stronger than the normal use of SHA-256, and it > expands the size of signatures and requires them to carry material > that is not needed today. > > HMAC-SHA-1 remains secure and is the preferred keyed hash algorithm > for IETF protocol design. > ===== > > You can then remove the reference to RFC 2119. > > --Paul Hoffman, Director > --VPN Consortium
- [Cfrg] [Fwd: I-D ACTION:draft-turner-sha0-sha1-se… Sean Turner
- Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-s… Paul Hoffman
- Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-s… Paul Hoffman
- Re: [Cfrg] [Fwd: I-D ACTION:draft-turner-sha0-sha… Simon Josefsson
- Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-s… Dan Harkins
- Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-s… Paul Hoffman
- Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-s… Paul Hoffman
- Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-s… Peter Gutmann
- Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-s… Sean Turner