Re: Has any public CA ever had their certificate revoked?

2009-05-04 Thread dan

No, but a few years ago I looked at all the certs in IE
and Netscape and found that about 30% of them were from
companies that were at that time no longer in existence.
The expiries on those where-are-they-now certs were often
as not three decades into the future.

N.B., if you are willing to take no longer baked into
the browser as effectively revocation, there is a
retrospective clerical job that might be a fun project
if you had some graduate student labor to assign.

--dan

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: [tahoe-dev] SHA-1 broken!

2009-05-04 Thread Christian Rechberger

Quoting Perry E. Metzger pe...@piermont.com:



Ray Dillinger b...@sonic.net writes:

I cannot derive a realistic threat model from the very general
statements in the slides.


(BTW, you mean threat, not threat *model*, in this instance.)

As just one obvious example of a realistic threat, consider that there
are CAs that will happily sell you certificates that use SHA-1.

Various clever forgery attacks have been used against certs that use
MD5, see:

http://www.win.tue.nl/hashclash/rogue-ca/

Those attacks can now be extended to SHA-1 pretty easily. It might


It is in my opinion way to early to jump to this kind of conclusions:

Even if the new attack works are promised (and I have the feeling that  
people are too optimistic here), there is the following issue:


* these advanced attacks against CAs do require a special type of  
collision attack (the name chosen-prefix attack was coined), not a  
normal collision attack we are talking about here for the case of  
SHA-1. A chosen-prefix attack can be expected to be significantly  
harder to perform than a normal attack. The link you provided should  
contain a more in-depth discussion on this for the case of MD5.


Nevertheless, I agree that moving away from SHA-1 should be encouraged  
(since 2005).


Best,
 Christian

--
Christian Rechberger, Graz University of Technology, Austria.




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: [tahoe-dev] SHA-1 broken!

2009-05-04 Thread Christian Rechberger

On Sat, May 2, 2009 at 12:33 PM, Perry E. Metzger pe...@piermont.com wrote:


As just one obvious example of a realistic threat, consider that there
are CAs that will happily sell you certificates that use SHA-1.

Various clever forgery attacks have been used against certs that use
MD5, see:

http://www.win.tue.nl/hashclash/rogue-ca/

Those attacks can now be extended to SHA-1 pretty easily. It might
require a bit of compute infrastructure -- say a lot of FPGAs and a
bunch of cleverness -- to turn out certs quickly, but it can be
done. Given that there are lots of high value certs out there of this
form, this is rather dangerous.


Off-the-shelf FPGA-based device that breaks DES by brute force in
about a week, costs 9,000 euros: http://www.copacobana.org/
These are commercially available and programmable. Setting a
few of them up to break SHA-1 certainly would not be trivial,
but it looks feasible.


The design of DES facilitates this kind of throughput/cost gains on FPGAs.

Remember that the MD4 family (incl. SHA-1) was designed to be  
efficient on 32-bit CPUs. For these hash functions, it is much harder  
to get a throughput/cost gain on FPGAs compared to off-the-shelf CPUs.  
At least, this was my conclusion when I quickly looked into this a few  
years ago.


Best,
 Christian

--
Christian Rechberger, Graz University of Technology, Austria

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: [tahoe-dev] SHA-1 broken!

2009-05-04 Thread Thomas Coppi
On Sun, May 3, 2009 at 4:35 PM, Christian Rechberger
christian.rechber...@tugraz.at wrote:
 The design of DES facilitates this kind of throughput/cost gains on FPGAs.

 Remember that the MD4 family (incl. SHA-1) was designed to be efficient on
 32-bit CPUs. For these hash functions, it is much harder to get a
 throughput/cost gain on FPGAs compared to off-the-shelf CPUs. At least, this
 was my conclusion when I quickly looked into this a few years ago.


The n...@home project(http://nsa.unaligned.org/) seems to do it pretty well.
He even provides the optimized SHA-1 and MD5 Verilog code used.  This only works
because straight-up bruteforce requires little memory, though. If the new
SHA-1 break requires significant memory usage I don't think something
like the COPACOBANA can help.

Regards,
-- 
Thomas Coppi

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com