Re: [keyassure] Opening issue #21: "Need to specify which crypto

Phillip Hallam-Baker <> Wed, 02 March 2011 23:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 00A7D3A68E5 for <>; Wed, 2 Mar 2011 15:08:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.572
X-Spam-Status: No, score=-3.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6a-xErxd-FHa for <>; Wed, 2 Mar 2011 15:08:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C927D3A68DD for <>; Wed, 2 Mar 2011 15:08:06 -0800 (PST)
Received: by bwz13 with SMTP id 13so769828bwz.31 for <>; Wed, 02 Mar 2011 15:09:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=onAriBZrpJ58YU69DRzytAcLneJ9FmAOJZb3aJZDDZs=; b=HsHrYh/t4kBeRzG+3XvY9SEgtgA58NCABTcdDpME02jUU46MaGsx0H6r05psp9kGmm VyTP89MDG7N3fx3NfNHATJ0OTTtMk/yB9jO5c27V/7SjNe/UTpzssSqO8p3WKRHowJwz v4bTtpVTuREpxqhAb3xVkY+to3/v/4raRfISc=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=No9HpXg4q8H0NNrDuaC2x9mL91CzzF6oR9QBKcnvzwdr6+GL58nSXmLika7TufJBG6 imwLlh7aLwePzHIiFt+AzbrZAN8Hl/p++L0/bl0OM+S9r7pazDEvHmYjHd64QwnSZnd7 xCP6B1bGQfPmNmAQkDi6GPj+/8AhC64iILbrI=
MIME-Version: 1.0
Received: by with SMTP id h19mr649761bki.101.1299107351925; Wed, 02 Mar 2011 15:09:11 -0800 (PST)
Received: by with HTTP; Wed, 2 Mar 2011 15:09:11 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Wed, 2 Mar 2011 18:09:11 -0500
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Stephen Farrell <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "" <>
Subject: Re: [keyassure] Opening issue #21: "Need to specify which crypto
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Mar 2011 23:08:09 -0000

What I meant to write was that SHA1 is only marginally more secure
than MD5 was when we decided to stop using it. Obviously with 32 extra
bits it is harder to break.

If you look at the internals of SHA1-0, the original proposal, you
will find that it is in effect simply MD5 with an additional set of
state variables to extend the size to 160 bits.

The spec was amended to add in an additional expansion function before
it was approved. In a private conversation in 1995 at the time the
Dobbertin attack was first circulated, Rivest was of the opinion that
this would make it somewhat more resistant to the Dobbertin attack but
not considerably so.

While the attacks on SHA1 are currently theoretical, they are rapidly
approaching the point at which we started to decide that use of MD5
should be avoided.

Further, even though we stopped using MD5 in the mid 90s, it is still
possible to use MD5 securely but doing so requires considerable
attention to other security precautions. So even if there is a
theoretical break of SHA1 we are hardly in a situation where we will
face an immediate crisis.

If SHA1 is 'broken' tomorrow it is likely going to be 2020 before
there is a practical exploit based on that attack. But that is not
reason for complacency as it is likely to take us a decade to dig our
way out of using SHA1.

On Wed, Mar 2, 2011 at 4:37 PM, Stephen Farrell
<> wrote:
> On 2 Mar 2011, at 21:24, Phillip Hallam-Baker <> wrote:
>> Which is why I am arguing it is time to withdraw SHA1 from service. It
>> is only marginally more secure than MD5.
> "Marginally"? Evidence please? I dont think exageration helps your case.
> S
>> On Wed, Mar 2, 2011 at 12:24 PM, Martin Rex <> wrote:
>>> Phillip Hallam-Baker wrote:
>>>> The use of MD2 in a self signed cert has little risk as far as use of
>>>> the cert itself goes since it only serves as proof of possession which
>>>> is only relevant when the browser provider chooses to install it in
>>>> the browser.
>>> In the universe where I live, there exist collision attacks against MD2.
>>>  (check
>>> So an RSA-key for which a PKCS#1 encrypted MD2 signature has been
>>> published is a real security problem and ought to have been discarded
>>> long ago.
>>> Else someone could try to use the preimage attack to issue himself
>>> an intermediate CA cert under such a root cert, reusing the md2-based
>>> signature on the RootCA cert.
>>> I would REALLY like to kill md2withRsaEncryption as a digital
>>> signature algorithm from our PKI implementation, like I did
>>> with all of md4-based digital signature algorithms.
>>> Getting rid of "tainted" RSA keys is also important.
>>> Why do you think that FIPS 186-3 says that you are not allowed
>>> to use an RSA keypair for both PKCS-v1.5 and PKCS-PSS signatures?
>>> Because you "taint" your RSA key on the first time that you use it
>>> for a weak scheme.
>>> -Martin
>> --
>> Website:
>> _______________________________________________
>> keyassure mailing list