Re: [tahoe-dev] SHA-1 broken!

2009-05-05 Thread Perry E. Metzger
lance james lan...@securescience.net writes: stupid question - does this effect IPSec realistically as well? IPSec and IPSec related protocols like IKE use SHA-1 in various places. Whether those actually could be attacked using the known weaknesses in SHA-1 would require detailed examination of

Re: [tahoe-dev] SHA-1 broken!

2009-05-04 Thread Christian Rechberger
Quoting Perry E. Metzger pe...@piermont.com: Ray Dillinger b...@sonic.net writes: I cannot derive a realistic threat model from the very general statements in the slides. (BTW, you mean threat, not threat *model*, in this instance.) As just one obvious example of a realistic threat,

Re: [tahoe-dev] SHA-1 broken!

2009-05-04 Thread Christian Rechberger
On Sat, May 2, 2009 at 12:33 PM, Perry E. Metzger pe...@piermont.com wrote: As just one obvious example of a realistic threat, consider that there are CAs that will happily sell you certificates that use SHA-1. Various clever forgery attacks have been used against certs that use MD5, see:

Re: [tahoe-dev] SHA-1 broken!

2009-05-04 Thread Thomas Coppi
On Sun, May 3, 2009 at 4:35 PM, Christian Rechberger christian.rechber...@tugraz.at wrote: The design of DES facilitates this kind of throughput/cost gains on FPGAs. Remember that the MD4 family (incl. SHA-1) was designed to be efficient on 32-bit CPUs. For these hash functions, it is much

Re: [tahoe-dev] SHA-1 broken!

2009-05-03 Thread Sandy Harris
On Sat, May 2, 2009 at 12:33 PM, Perry E. Metzger pe...@piermont.com wrote: As just one obvious example of a realistic threat, consider that there are CAs that will happily sell you certificates that use SHA-1. Various clever forgery attacks have been used against certs that use MD5, see:

Re: [tahoe-dev] SHA-1 broken!

2009-05-02 Thread Jon Callas
It also is not going to be trivial to do this -- but it is now in the realm of possibility. I'm not being entirely a smartass when I say that it's always in the realm of possibility. The nominal probability for SHA-1 -- either 2^80 or 2^160 depending on context -- is a positive number.

Re: [tahoe-dev] SHA-1 broken! (was: Request for hash-dependency in Tahoe security.)

2009-05-01 Thread Ray Dillinger
On Thu, 2009-04-30 at 13:56 +0200, Eugen Leitl wrote: http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf Wow! These slides say that they discovered a way to find collisions in SHA-1 at a cost of only 2^52 computations. If this turns out to be right (and the authors

Re: [tahoe-dev] SHA-1 broken!

2009-05-01 Thread Perry E. Metzger
Ray Dillinger b...@sonic.net writes: I cannot derive a realistic threat model from the very general statements in the slides. (BTW, you mean threat, not threat *model*, in this instance.) As just one obvious example of a realistic threat, consider that there are CAs that will happily sell

Re: [tahoe-dev] SHA-1 broken!

2009-05-01 Thread Perry E. Metzger
Perry E. Metzger pe...@piermont.com writes: For example, Verisign has lots of cert infrastructure right now that uses SHA-1. Imagine if I now use the above described attack and start forging certs that look to all the world like they're from Verisign and claim that I'm a major bank, or to

[tahoe-dev] SHA-1 broken! (was: Request for hash-dependency in Tahoe security.)

2009-04-30 Thread Eugen Leitl
From: Zooko O'Whielacronx zo...@zooko.com Subject: [tahoe-dev] SHA-1 broken! (was: Request for hash-dependency in Tahoe security.) To: nejuc...@gmail.com, tahoe-...@allmydata.org Date: Wed, 29 Apr 2009 15:59:05 -0600 Reply-To: tahoe-...@allmydata.org On Apr 29, 2009, at 11:51 AM, Nathan