Quoting "Perry E. Metzger" <pe...@piermont.com>:
Ray Dillinger <b...@sonic.net> writes:
I cannot derive a realistic threat model from the very general
statements in the slides.
(BTW, you mean threat, not threat *model*, in this instance.)
As just one obvious example of a realistic threat, consider that there
are CAs that will happily sell you certificates that use SHA-1.
Various clever forgery attacks have been used against certs that use
MD5, see:
http://www.win.tue.nl/hashclash/rogue-ca/
Those attacks can now be extended to SHA-1 pretty easily. It might
It is in my opinion way to early to jump to this kind of conclusions:
Even if the new attack works are promised (and I have the feeling that
people are too optimistic here), there is the following issue:
* these advanced attacks against CAs do require a special type of
collision attack (the name "chosen-prefix attack" was coined), not a
"normal" collision attack we are talking about here for the case of
SHA-1. A chosen-prefix attack can be expected to be significantly
harder to perform than a "normal" attack. The link you provided should
contain a more in-depth discussion on this for the case of MD5.
Nevertheless, I agree that moving away from SHA-1 should be encouraged
(since 2005).
Best,
Christian
--
Christian Rechberger, Graz University of Technology, Austria.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
