Quoting "Perry E. Metzger" <pe...@piermont.com>:

Ray Dillinger <b...@sonic.net> writes:
I cannot derive a realistic threat model from the very general
statements in the slides.

(BTW, you mean threat, not threat *model*, in this instance.)

As just one obvious example of a realistic threat, consider that there
are CAs that will happily sell you certificates that use SHA-1.

Various clever forgery attacks have been used against certs that use
MD5, see:


Those attacks can now be extended to SHA-1 pretty easily. It might

It is in my opinion way to early to jump to this kind of conclusions:

Even if the new attack works are promised (and I have the feeling that people are too optimistic here), there is the following issue:

* these advanced attacks against CAs do require a special type of collision attack (the name "chosen-prefix attack" was coined), not a "normal" collision attack we are talking about here for the case of SHA-1. A chosen-prefix attack can be expected to be significantly harder to perform than a "normal" attack. The link you provided should contain a more in-depth discussion on this for the case of MD5.

Nevertheless, I agree that moving away from SHA-1 should be encouraged (since 2005).


Christian Rechberger, Graz University of Technology, Austria.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to