On Sat, May 2, 2009 at 12:33 PM, Perry E. Metzger <pe...@piermont.com> wrote:

As just one obvious example of a realistic threat, consider that there
are CAs that will happily sell you certificates that use SHA-1.

Various clever forgery attacks have been used against certs that use
MD5, see:


Those attacks can now be extended to SHA-1 pretty easily. It might
require a bit of compute infrastructure -- say a lot of FPGAs and a
bunch of cleverness -- to turn out certs quickly, but it can be
done. Given that there are lots of high value certs out there of this
form, this is rather dangerous.

Off-the-shelf FPGA-based device that breaks DES by brute force in
about a week, costs 9,000 euros: http://www.copacobana.org/
These are commercially available and programmable. Setting a
few of them up to break SHA-1 certainly would not be trivial,
but it looks feasible.

The design of DES facilitates this kind of throughput/cost gains on FPGAs.

Remember that the MD4 family (incl. SHA-1) was designed to be efficient on 32-bit CPUs. For these hash functions, it is much harder to get a throughput/cost gain on FPGAs compared to off-the-shelf CPUs. At least, this was my conclusion when I quickly looked into this a few years ago.


Christian Rechberger, Graz University of Technology, Austria

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to