+1 on marking SHA1 as weak. Good idea for the reasons Jeffrey have. -1 on marking Tiger as weak. Last I checked, nobody knows how to find collisions in Tiger faster than brute force, I.e. 96-bit security. I consider that strong.
I'm undecided about marking RIPEMD-160 as weak. Regards, Zooko On Jul 8, 2015 11:09, "Jeffrey Walton" <[email protected]> wrote: > Its been a while since a class entered the Weak namespace. It *might* be > time to consider some candidates for Weak. I think SHA-1 is a worthy > candidate. > > SHA-1 provides 80-bits of theoretical security. Marc Stevens has that down > to about 60-bits, which is well within the reach of many attackers, > especially since compute time is so cheap on EC2 and Nova. (More correctly, > its at 2^61; see HashClash at https://marc-stevens.nl/p/hashclash/). > > From history, we know adversaries will attack 60-bits or so. There's > little reason to go around the crypto because the adversaries can go > through it in this case. To be clear, if its economical, they will still go > around it. For example, if its easier to look up a static, hardcoded > private key in Little Black Box (https://code.google.com/p/littleblackbox/), > then the adversary will do so. > > We saw attacks on the crypto in the TI Signing Key break ( > https://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy); > and we saw it in the Flame malware with its prefix collision attack on MD5 ( > https://en.wikipedia.org/wiki/Flame_%28malware%29). > > From a standards and compliance point of view, 80-bits of security has > been withdrawn from US Federal by NIST. 112-bits of security was in effect > in 2011, and the transition period for deprecation of 80-bits was over in > 2013. ECRYPT, NESSIE and ISO have similar requirements. > > And even the browsers are moving against it. ( > https://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html, > https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ > and > http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx > ). > > So, the first QUESTION: should we move SHA-1 into Weak? > > If NO, then the second QUESTION is: when should we revisit? Or maybe what > is the criteria to make the list? > > The final QUESTION is, what other algorithms would be potential candidates > for the list? > > Jeff > > -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google Groups > "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
