Travis <travis+ml-cryptogra...@subspacefield.org> writes: > I'm working on a presentation about cryptography to give to the Open > Web Application Security Project (OWASP). [...] > In addition, I'm curious about: > > Which hashes are currently vulnerable to length-extension attacks. If > I recall Bruce Schneier's book "Practical Cryptography" correctly, he > stated that even SHA-1 was vulnerable. Do any hashes in the SHA-2 > family have protection against length extension? [...]
If you expect to be presenting things at that level of detail to developers, you're going to lose. There is no chance that they'll absorb the details, and they'll get entirely the wrong message, which is that they should be making decisions on such things instead of just using prepackaged protocols. The single most important lesson in cryptography is that cryptography and cryptographic protocols are insanely hard to get right. The average PHP hacker is not in a position to spend enough time to learn the field well enough -- he's busy getting his application working. Much better to avoid the entire issue. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
