Re: [IP] One cryptographer's perspective on the SHA-1 result

[james hughes]

On Mar 4, 2005, at 5:23 PM, James A. Donald wrote:
The attacks on MD*/SHA* are weak and esoteric.
On this we respectfuly disagree.
You make it sound trivial. Wang has been working on these results for 
over 10 years. She received the largest applause at Crypto 2004 session 
from her peers I have ever seen.

It is not so fundamentally broken as to justify starting over.
on this I agree.
My recommendation for anyone that listens to (nobody) me is to abandon 
the MD series and SHA algorithms below SHA-256 for everything including 
certificates, pgp and even HMAC. But these are my inclinations. I would 
rather migrate to stronger crypto than have to continually justify why 
I continue to use algorithms that have known weaknesses.

$0.02
--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 QVYtFQAELN4YlZ9xB60CvXTqW8QT8rOABMbJrPXE
 4hz2qo1jnDwc3tmFFeyh6lG9sOrXL1783FYSh2s+v
What software do you use for this? Is it ECC or RSA?
Thanks
jim

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [IP] One cryptographer's perspective on the SHA-1 result

[James A. Donald]

--
On 23 Feb 2005 at 21:37, Steven M. Bellovin wrote:
> I don't know if there's quite the need for open process for a
> hash function as there was for a secrecy algorithm.  The AES
> process, after all, had to cope with the legacy of Clipper
> and key escrow, to say nothing of the 25 years of DES
> paranoia that was only laid to rest by the reinvention of
> differential cryptanalysis.  (The Deep Crack machine only
> confirmed another part of the paranoia, of course, but the
> essential parameter it exploited -- key size -- was both
> obviously insufficient in 1979 and obviously sufficient from
> the requirements of the AES competition.)  It is clear, as
> Burt said, that we need a large-scale effort to produce new
> and better hash functions.  To try to repair the MD*/SHA*
> family is to risk the cry of "epicycles".

The attacks on MD*/SHA* are weak and esoteric.  It is not so
fundamentally broken as to justify starting over. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 QVYtFQAELN4YlZ9xB60CvXTqW8QT8rOABMbJrPXE
 4hz2qo1jnDwc3tmFFeyh6lG9sOrXL1783FYSh2s+v


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

FW: [IP] One cryptographer's perspective on the SHA-1 result

[Trei, Peter]

Full disclosure: Burt Kaliski and I share an employer.

Peter Trei

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf
Of David Farber
Sent: Wednesday, February 23, 2005 7:48 PM
To: Ip
Subject: [IP] One cryptographer's perspective on the SHA-1 result



From: "Kaliski, Burt" <[EMAIL PROTECTED]>
Subject: One cryptographer's perspective on the SHA-1 result
To: <[EMAIL PROTECTED]>
Date: Wed, 23 Feb 2005 19:43:43 -0500

Hi Dave --

As you might expect, the recent breakthrough on SHA-1 hash was a topic of
widespread discussion at the annual RSA Conference last week in San
Francisco.  Commercial cryptography is one of few fields in IT which has
totally absorbed the "open review" process.  We know from experience that an
ongoing and aggressive analysis of our current technology, searching out
potential weaknesses, is a critical part of the process by which we
strengthen it for the future.

RSA Laboratories has just posted a brief note on the recent SHA-1 result, to
supplement our earlier notes about MD5 and other hashes, at
http://www.rsasecurity.com/rsalabs.

In my opinion, the latest result on SHA-1 -- once confirmed -- will be one
of the most significant results in cryptanalysis in the last decade.  Hard
work indeed brings a profit, as the proverb says, and the perseverance of
Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu appears to have paid off with
this unexpected special attack on SHA-1 that can find collisions in less
than the promised 2^80 threshold.

It is a delight to congratulate the Shandong University team on their
achievement, and especially Dr. Yiqun Lisa Yin, for many years my colleague
at RSA Laboratories, and one of the co-inventors of RSA Security's RC6 block
cipher.

This attack seems to have uncovered an unexpected weakness in one of the
essential properties of SHA-1, a one-way hash function with a 160-bit
output.  Essentially, this new research suggests that it is considerably
less difficult than expected to create two somewhat different data files
that can be reduced and compressed to an identical hash value.
Cryptographers call these "collisions" in hash outputs.

A hash function takes a variable-length digital input and coverts it into a
fixed-length pseudo-random hash value that can serve as a useful
"fingerprint" for the input file.  A one-way hash function like SHA-1 is
easy to compute in one direction, but it's very difficult to reconstitute
the initial file from the hash value.  A good hash function is also expected
to be "collision-free." That is, it should be hard to generate two input
files which, put through the hash function, generate the same hash value.
(Hash functions collisions must exist, of course, since the hash inputs can
be longer than the outputs -- but the design goal is to make them hard to
find in practice.)

These attributes have made the one-way hash one of the most useful
"primitives" in modern cryptography.  Hash functions are, for example,
essential in deriving message authentication codes (MACs) and "message
digests," the small file that is actually cryptographically "signed" to
create a "digital signature" for larger files, in a typical public key
crypto application.

MIT Professor Ron Rivest, one of the founders of RSA Security, created three
one-way hashes that were widely used by cryptographers over the past 20
years (MD2, MD4, and MD5), but each of those was eventually deprecated as
subtle weaknesses were discovered that suggested that the internal design
was less robust than desired against potential future attacks.

Any successful attack on SHA-1 based on the new result would still involve a
huge amount of computer processing, so this latest research is unlikely (as
many have said) to have any significant impact on past or current
applications.  It is, however, a wake-up call for cryptographers and the
industry leaders concerned with the long-term vitality of our technology.

The SHA (aka SHA-0) hash function was developed for the US government in
1995 for use within the Digital Signature Standard.  Its design was based on
MD4.  SHA was upgraded to SHA-1 early in its life cycle, apparently to
address undisclosed weaknesses discovered by the NSA, and today SHA-1 is the
industry standard.  It is widely used and has been trusted by both
developers and applied crypto engineers, although routine efforts to enhance
SHA-1 with longer output values have led to the quiet development of
SHA-256, SHA-385, and SHA-512 as design options for long-term applications.

Although RSA Security, and most standards organizations, have recommended
the use of SHA-1 for several years, Rivest's MD5 is still widely used in
many applications despite research in the 1990s that discovered "pseudo"
collisions within the internal operations of MD5.  Then, last summer, there
were additional results on MD5 that led

Re: [IP] One cryptographer's perspective on the SHA-1 result

[Steven M. Bellovin]

Burt Kaliski posted the following to Dave Farber's IP list.  I was 
about to post something similar myself.

>Beyond that, it is now clear that the industry needs an open evaluation
>process -- like the Advanced Encryption Standard competition -- to establish
>a new hash function standard for the long term, or at least an alternative
>if SHA-256 and above turn out still to be good enough after review.
>

As he quite eloquently pointed out, we have a near-monoculture of hash 
algorithms.  Virtually every well-known hash algorithm, with the 
exception of Whirlpool, is derived from MD2/MD4/MD5.  At the time SHA-0 
was released, in fact, there was a great deal of speculation that NSA 
had copied Rivest's framework to avoid disclosing any new principles 
for hash function construction.

I have no idea if that's true or not.  As we all know, even NSA found 
SHA more problematic than they would have hoped; witness the release of 
SHA-1 not all that long afterwards.

When NIST released SHA256/384/512 shortly after AES, but without a 
public competition, the word was that they didn't have the resources to 
run two simultaneous large-scale, open processes.  That's a fair 
statement, and given the choice between an openly-chosen encryption 
algorithm and an openly-chosen hash function I think most of us would 
have made the same decision.

I don't know if there's quite the need for open process for a hash 
function as there was for a secrecy algorithm.  The AES process, after 
all, had to cope with the legacy of Clipper and key escrow, to say 
nothing of the 25 years of DES paranoia that was only laid to rest by 
the reinvention of differential cryptanalysis.  (The Deep Crack machine 
only confirmed another part of the paranoia, of course, but the 
essential parameter it exploited -- key size -- was both obviously 
insufficient in 1979 and obviously sufficient from the requirements of 
the AES competition.)  It is clear, as Burt said, that we need a 
large-scale effort to produce new and better hash functions.  To try to 
repair the MD*/SHA* family is to risk the cry of "epicycles".

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]