Peter Gutmann <[email protected]> writes: > "Perry E. Metzger" <[email protected]> writes: >>Greg Rose <[email protected]> writes: >>> It already wasn't theoretical... if you know what I mean. The writing >>> has been on the wall since Wang's attacks four years ago. >> >>Sure, but this should light a fire under people for things like TLS 1.2. > > Why? > > Seriously, what threat does this pose to TLS 1.1 (which uses HMAC-SHA1 and > SHA-1/MD5 dual hashes)?
No immediate threat. The issue is that attacks only get better with time. Now that we've seen this set of attacks, we can't be entirely sure what will happen next. In three or five years, we may find that HMAC-SHA1 is more easily attacked than it is now. On the 1.2 issue, the real point of 1.2 is not to replace SHA-1 per se but to permit us to deal with the situation where *any* algorithm proves to be dangerously weak. We've learned this lesson several times now -- it is best to have protocols that can move to new crypto algorithms as old ones need to be abandoned. Note that I said "things like" TLS -- TLS is not the only issue. There are many out there. There is no need to panic over any one of them, but it would be good to get things replaced. Right now, without much of a rush or any real anxiety about it we can take the several years needed to move new mechanisms out. If we dither, then in a few years we may find ourselves having a much less pleasant transition where suddenly the problem isn't long term but immediate. > Do you think the phishers will even notice this as they sort their > multi-gigabyte databases of stolen credentials? No, they clearly won't notice at all. However, lets broaden this and consider not only phishermen but all attackers. Remember, attackers go for the lowest hanging fruit, not for any particular technique. They pick the weakest links available. The reason bad crypto has not been an attack point is because other things have been much easier to attack than the crypto. I would prefer to keep it that way. My worry isn't about the phishermen per se. My worry is about things we haven't thought about -- tricks like the CA forgery trick lying in wait for us. There are more and more things out there that depend on the crypto being right -- things like signed software updates, people who actually *need* authentication for life critical systems, etc. If we clean things up now, in three or five or seven years we won't have to rush. There is no need to panic, but clearly the handwriting is on the wall. The time to act is early when it is inexpensive to do so. > It may be geeky-cool to make the change, but geeky-cool isn't going to > persuade (say) Linksys to implement TLS 1.2 on their home routers. > > (I can't believe I just said that :-). Home routers and other equipment last for years. If we slowly roll out various protocol and system updates now, then in a number of years, when we find ourselves with real trouble, a lot of them will already be updated because new ones won't have issues. If we wait until things get bad, then instead of being a natural part of the upgrade cycle things get to be expensive and painful. Perry -- Perry E. Metzger [email protected] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
