Eric Rescorla wrote:
> SHA-1 is only 2^80 strong against birthday attack. If you
> go around using SHA-1 or worse yet MD5 to sign stuff then
> using a private key of size > 1024 is only of limited value.
If you want to forge a signature, you will probably not be able to use
the birthday attack. You need to find something whose hash is
identical to one already signed, not just a random collision.
That said, I do think that the hash function may well be the weakest
link in a lot of modern systems. No one (outside government) really
uses Skipjack because the cryptanalytic results known have destroyed
people's confidence. The results known for MD5 are probably just as
significant, but plenty of people still use that.
A related problem is that systems using TLS are forced to support
earlier, possibly less secure hashes. There are still certs going
around that use MD2, for example.
--
Pete
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
