You should have read the rest of that paragraph:
For MD5, the most efficient collision attacks do not have a
compatible message difference, but it seems possible to build
a dedicated attack with complexity below 2^39. However, for
SHA-1, all known collision attacks use differences in every
message words, and are thus unsuitable.
I.e. they say that this attack is impossible with SHA-1 too for now,
as they cannot use the 2^77 attack for SHA-1, as it only works with
chosen-prefix collisions where this requires almost-common-prefix
collision attack, and that does not work for SHA. To be able to attack
SHA-1 they need to find new ways to make almost chosen-prefix attacks
against SHA1.
At the beginning of the paper the authors write that the attack against
IKEv2 is _almost_ practical. So, it is infeasible today, but taking
into considerations fast progress in hash analysis can become feasible
tomorrow. That's why it's better to have an additional defense
on the protocol level (like moving COOKIE at the end of the message).
It is not an urgent action that we should do in a rush, but it is an option
we should comsider for next major protocol update (if it happens).
Regards,
Valery.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
