> > > There you have it. Surely a GPL'd tool implementing this attack style > will be available shortly. And since Chinese researchers have been > attacking SHA-1 lately, should SHA-256 be considered the proper > replacement? I am unsure :-(
Yes, it would probably be a good idea. I think this link has been put out on this list in the past with respect to discussion on SHA-1: http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html NIST might not be the bible to you on what to follow and implement, but they are definitely worth listening to (even if you're not a U.S. Federal agency) when they tell you not to use something anymore. For those that don't want to click and just want to read, here's the relevant parts: ---- March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. ---- Steven http://www.securityzone.org > -- > Kristian Erik Hermansen > "I have no special talent. I am only passionately curious." > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
