Re: [keyassure] Opening issue #21: "Need to specify which crypto

[Phillip Hallam-Baker <hallam@gmail.com>]

What I meant to write was that SHA1 is only marginally more secure
than MD5 was when we decided to stop using it. Obviously with 32 extra
bits it is harder to break.


If you look at the internals of SHA1-0, the original proposal, you
will find that it is in effect simply MD5 with an additional set of
state variables to extend the size to 160 bits.

The spec was amended to add in an additional expansion function before
it was approved. In a private conversation in 1995 at the time the
Dobbertin attack was first circulated, Rivest was of the opinion that
this would make it somewhat more resistant to the Dobbertin attack but
not considerably so.


While the attacks on SHA1 are currently theoretical, they are rapidly
approaching the point at which we started to decide that use of MD5
should be avoided.

Further, even though we stopped using MD5 in the mid 90s, it is still
possible to use MD5 securely but doing so requires considerable
attention to other security precautions. So even if there is a
theoretical break of SHA1 we are hardly in a situation where we will
face an immediate crisis.

If SHA1 is 'broken' tomorrow it is likely going to be 2020 before
there is a practical exploit based on that attack. But that is not
reason for complacency as it is likely to take us a decade to dig our
way out of using SHA1.


On Wed, Mar 2, 2011 at 4:37 PM, Stephen Farrell
<stephen.farrell@cs.tcd.ie> wrote:
>
>
> On 2 Mar 2011, at 21:24, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
>> Which is why I am arguing it is time to withdraw SHA1 from service. It
>> is only marginally more secure than MD5.
>
> "Marginally"? Evidence please? I dont think exageration helps your case.
>
> S
>
>
>>
>>
>>
>> On Wed, Mar 2, 2011 at 12:24 PM, Martin Rex <mrex@sap.com> wrote:
>>> Phillip Hallam-Baker wrote:
>>>>
>>>> The use of MD2 in a self signed cert has little risk as far as use of
>>>> the cert itself goes since it only serves as proof of possession which
>>>> is only relevant when the browser provider chooses to install it in
>>>> the browser.
>>>
>>> In the universe where I live, there exist collision attacks against MD2.
>>>  (check http://en.wikipedia.org/wiki/MD2_%28cryptography%29)
>>>
>>> So an RSA-key for which a PKCS#1 encrypted MD2 signature has been
>>> published is a real security problem and ought to have been discarded
>>> long ago.
>>>
>>> Else someone could try to use the preimage attack to issue himself
>>> an intermediate CA cert under such a root cert, reusing the md2-based
>>> signature on the RootCA cert.
>>>
>>> I would REALLY like to kill md2withRsaEncryption as a digital
>>> signature algorithm from our PKI implementation, like I did
>>> with all of md4-based digital signature algorithms.
>>>
>>>
>>> Getting rid of "tainted" RSA keys is also important.
>>>
>>> Why do you think that FIPS 186-3 says that you are not allowed
>>> to use an RSA keypair for both PKCS-v1.5 and PKCS-PSS signatures?
>>> Because you "taint" your RSA key on the first time that you use it
>>> for a weak scheme.
>>>
>>> -Martin
>>>
>>
>>
>>
>> --
>> Website: http://hallambaker.com/
>> _______________________________________________
>> keyassure mailing list
>> keyassure@ietf.org
>> https://www.ietf.org/mailman/listinfo/keyassure
>



-- 
Website: http://hallambaker.com/