Re: [tahoe-dev] SHA-1 broken!
On Sun, May 3, 2009 at 4:35 PM, Christian Rechberger wrote: > The design of DES facilitates this kind of throughput/cost gains on FPGAs. > > Remember that the MD4 family (incl. SHA-1) was designed to be efficient on > 32-bit CPUs. For these hash functions, it is much harder to get a > throughput/cost gain on FPGAs compared to off-the-shelf CPUs. At least, this > was my conclusion when I quickly looked into this a few years ago. > The n...@home project(http://nsa.unaligned.org/) seems to do it pretty well. He even provides the optimized SHA-1 and MD5 Verilog code used. This only works because straight-up bruteforce requires little memory, though. If the new SHA-1 break requires significant memory usage I don't think something like the COPACOBANA can help. Regards, -- Thomas Coppi - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: [tahoe-dev] SHA-1 broken!
On Sat, May 2, 2009 at 12:33 PM, Perry E. Metzger wrote: As just one obvious example of a realistic threat, consider that there are CAs that will happily sell you certificates that use SHA-1. Various clever forgery attacks have been used against certs that use MD5, see: http://www.win.tue.nl/hashclash/rogue-ca/ Those attacks can now be extended to SHA-1 pretty easily. It might require a bit of compute infrastructure -- say a lot of FPGAs and a bunch of cleverness -- to turn out certs quickly, but it can be done. Given that there are lots of high value certs out there of this form, this is rather dangerous. Off-the-shelf FPGA-based device that breaks DES by brute force in about a week, costs 9,000 euros: http://www.copacobana.org/ These are commercially available and programmable. Setting a few of them up to break SHA-1 certainly would not be trivial, but it looks feasible. The design of DES facilitates this kind of throughput/cost gains on FPGAs. Remember that the MD4 family (incl. SHA-1) was designed to be efficient on 32-bit CPUs. For these hash functions, it is much harder to get a throughput/cost gain on FPGAs compared to off-the-shelf CPUs. At least, this was my conclusion when I quickly looked into this a few years ago. Best, Christian -- Christian Rechberger, Graz University of Technology, Austria - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: [tahoe-dev] SHA-1 broken!
Quoting "Perry E. Metzger" : Ray Dillinger writes: I cannot derive a realistic threat model from the very general statements in the slides. (BTW, you mean threat, not threat *model*, in this instance.) As just one obvious example of a realistic threat, consider that there are CAs that will happily sell you certificates that use SHA-1. Various clever forgery attacks have been used against certs that use MD5, see: http://www.win.tue.nl/hashclash/rogue-ca/ Those attacks can now be extended to SHA-1 pretty easily. It might It is in my opinion way to early to jump to this kind of conclusions: Even if the new attack works are promised (and I have the feeling that people are too optimistic here), there is the following issue: * these advanced attacks against CAs do require a special type of collision attack (the name "chosen-prefix attack" was coined), not a "normal" collision attack we are talking about here for the case of SHA-1. A chosen-prefix attack can be expected to be significantly harder to perform than a "normal" attack. The link you provided should contain a more in-depth discussion on this for the case of MD5. Nevertheless, I agree that moving away from SHA-1 should be encouraged (since 2005). Best, Christian -- Christian Rechberger, Graz University of Technology, Austria. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Has any public CA ever had their certificate revoked?
No, but a few years ago I looked at all the certs in IE and Netscape and found that about 30% of them were from companies that were at that time no longer in existence. The expiries on those where-are-they-now certs were often as not three decades into the future. N.B., if you are willing to take "no longer baked into the browser" as effectively revocation, there is a retrospective clerical job that might be a fun project if you had some graduate student labor to assign. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com