Re: NIST publishes new DSA draft

"Ian Grigg" <iang@systemics.com> Wed, 15 March 2006 09:53 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FJShT-0004g0-0D for openpgp-archive@lists.ietf.org; Wed, 15 Mar 2006 04:53:51 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FJShQ-0002jH-K4 for openpgp-archive@lists.ietf.org; Wed, 15 Mar 2006 04:53:50 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2F9TEG1040195; Wed, 15 Mar 2006 02:29:14 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2F9TEWn040194; Wed, 15 Mar 2006 02:29:14 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from wbm2.pair.net (wbm2.pair.net [209.68.3.43]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2F9TDv8040186 for <ietf-openpgp@imc.org>; Wed, 15 Mar 2006 02:29:14 -0700 (MST) (envelope-from iang@systemics.com)
Received: by wbm2.pair.net (Postfix, from userid 65534) id 3F95811725; Wed, 15 Mar 2006 04:29:10 -0500 (EST)
Received: from 84.131.251.69 ([84.131.251.69]) (SquirrelMail authenticated user john@systemics.com) by webmail2.pair.com with HTTP; Wed, 15 Mar 2006 04:29:10 -0500 (EST)
Message-ID: <61223.84.131.251.69.1142414950.squirrel@webmail2.pair.com>
In-Reply-To: <20060314233108.1B3AF57FB0@finney.org>
References: <20060314233108.1B3AF57FB0@finney.org>
Date: Wed, 15 Mar 2006 04:29:10 -0500
Subject: Re: NIST publishes new DSA draft
From: Ian Grigg <iang@systemics.com>
To: ietf-openpgp@imc.org
Reply-To: iang@systemics.com
User-Agent: SquirrelMail/1.4.5
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cab78e1e39c4b328567edb48482b6a69

>
> James Couzens writes:
>> I had thought it a bit strange that someone writing so comprehensively
>> about something related to digital signatures and to then make the
>> statement as you did at the end of the paragraph I quoted.  Did you have
>> some other intended meaning, such as broken by draft explicit
>> prohibition or otherwise declared deprecated in a future draft?
>
> Yes, sorry, my language was not as precise as it might have been.
> I said we should be ready in case SHA-1 were broken, but as you note
> it has been officially "broken" for over a year.  However that is just
> a theoretical break and no actual examples of SHA-1 message collisions
> have yet been published.  So at this point SHA-1 is in a bit of a limbo
> state, theoretically broken but still in widespread use.


The problem lies in the use of the term "broken"
which sounds great in the popular press, but is
insufficiently precise for serious forums and
serious protocol work.  A more appropriate term is
that SHA1 is weakened - from 80 bits to 69 bits -
for some uses.

Analysis in this forum in the past has indicated
that - approximately - SHA1 is still good, but we
should move over as and when we can select good
alternatives.  NIST's new DSA announcement I think
makes the case that SHA256 is going to be around a
lot longer than some of us earlier speculated, so
that looks like the target for now.

> If the attack should get worse so that SHA-1 collisions could be found
> in a practical amount of time, then we would have a much more urgent
> need to switch to another hash.  That is what I really meant when I
> said we should be ready if SHA-1 should be broken.

Yes, it's a concern.  FTR, I agree with Hal that
we should seriously consider taking the draft out
of last call (dammit!) ... hopefully it won't take
too long to get enough consensus and some rough
working code?

iang