Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-24 Thread Peter Gutmann
Eric Rescorla e...@networkresonance.com writes: At Tue, 20 Jan 2009 17:57:09 +1300, Peter Gutmann wrote: Steven M. Bellovin s...@cs.columbia.edu writes: So -- who supports TLS 1.2? Not a lot, I think. The problem with 1.2 is that it introduces a pile of totally gratuitous incompatible

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-24 Thread Ben Laurie
On Sat, Jan 24, 2009 at 2:36 AM, Victor Duchovni victor.ducho...@morganstanley.com wrote: You seem to be out of touch I am afraid. Just look at what many O/S distributions do. They adopt a new OpenSSL 0.9.Xy release from time to time (for some initial y) and back-port security fixes never

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-24 Thread Eric Rescorla
At Sat, 24 Jan 2009 14:55:15 +1300, Peter Gutmann wrote: Yes, the changes between TLS 1.1 and TLS 1.2 are about as big as those between SSL and TLS. I'm not particularly happy about that either, but it's what we felt was necessary to do a principled job. It may have been a nicely principled

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-23 Thread Ben Laurie
On Tue, Jan 20, 2009 at 5:14 AM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote: The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256 mandatory), so you can send a SHA-256 certificate to clients that

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-23 Thread Victor Duchovni
On Fri, Jan 23, 2009 at 04:01:50PM +1100, Ben Laurie wrote: I really hope to see real OpenSSL patch releases some day with development of new features *strictly* in the development snapshots. Ideally this will start with 0.9.9a, with no new features, just bug-fixes, in [b-z]. ] I think

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-23 Thread Eric Rescorla
At Tue, 20 Jan 2009 17:57:09 +1300, Peter Gutmann wrote: Steven M. Bellovin s...@cs.columbia.edu writes: So -- who supports TLS 1.2? Not a lot, I think. The problem with 1.2 is that it introduces a pile of totally gratuitous incompatible changes to the protocol that require quite a bit

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-21 Thread Peter Gutmann
Jon Callas j...@callas.org writes: I've always been pleased with your answer to Question J, so I'll say what we're doing at PGP. That wasn't really meant as a compliment :-). The problem is that by leaping on things the instant they appear you end up having to support a menagerie of wierdo

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Bodo Moeller
On Sat, Jan 17, 2009 at 5:24 PM, Steven M. Bellovin s...@cs.columbia.edu wrote: I've mentioned it before, but I'll point to the paper Eric Rescorla wrote a few years ago: http://www.cs.columbia.edu/~smb/papers/new-hash.ps or http://www.cs.columbia.edu/~smb/papers/new-hash.pdf . The bottom

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Darren J Moffat
Paul Hoffman wrote: At 12:24 PM +0100 1/12/09, Weger, B.M.M. de wrote: When in 2012 the winner of the NIST SHA-3 competition will be known, and everybody will start using it (so that according to Peter's estimates, by 2018 half of the implementations actually uses it), do we then have enough

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Paul Hoffman
At 1:38 PM + 1/19/09, Darren J Moffat wrote: Can you state the assumptions for why you think that moving to SHA384 would be safe if SHA256 was considered vulnerable in some way please. Sure. I need 128 bits of pre-image protection for, say, a digital signature. SHA2/256 is giving me that.

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Victor Duchovni
On Mon, Jan 19, 2009 at 10:45:55AM +0100, Bodo Moeller wrote: The RFC does exit (TLS 1.2 in RFC 5246 from August 2008 makes SHA-256 mandatory), so you can send a SHA-256 certificate to clients that indicate they support TLS 1.2 or later. You'd still need some other certificate for

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Steven M. Bellovin
On Mon, 19 Jan 2009 10:45:55 +0100 Bodo Moeller bmoel...@acm.org wrote: On Sat, Jan 17, 2009 at 5:24 PM, Steven M. Bellovin s...@cs.columbia.edu wrote: I've mentioned it before, but I'll point to the paper Eric Rescorla wrote a few years ago:

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Peter Gutmann
Steven M. Bellovin s...@cs.columbia.edu writes: So -- who supports TLS 1.2? Not a lot, I think. The problem with 1.2 is that it introduces a pile of totally gratuitous incompatible changes to the protocol that require quite a bit of effort to implement (TLS 1.1 - 1.2 is at least as big a step,

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Jon Callas
I have a general outline of a timeline for adoption of new crypto mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically algorithms) in my Crypto Gardening Guide and Planting Tips, http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt , see Question J about 2/3 of the way

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-20 Thread Nicolas Williams
On Mon, Jan 19, 2009 at 01:38:02PM +, Darren J Moffat wrote: I don't think it depends at all on who you trust but on what algorithms are available in the protocols you need to use to run your business or use the apps important to you for some other reason. It also very much depends on

RE: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-17 Thread Peter Gutmann
Weger, B.M.M. de b.m.m.d.we...@tue.nl writes: Bottom line, anyone fielding a SHA-2 cert today is not going=20 to be happy with their costly pile of bits. Will this situation have changed by the end of 2010 (that's next year, by the way), when everybody who takes NIST seriously will have to

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-17 Thread Marcus Brinkmann
Weger, B.M.M. de wrote: In my view, the main lesson that the information security community, and in particular its intersection with the application building community, has to learn from the recent MD5 and SHA-1 history, is that strategies for dealing with broken crypto need rethinking. On

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-17 Thread Steven M. Bellovin
On Mon, 12 Jan 2009 16:05:08 +1300 pgut...@cs.auckland.ac.nz (Peter Gutmann) wrote: Weger, B.M.M. de b.m.m.d.we...@tue.nl writes: Bottom line, anyone fielding a SHA-2 cert today is not going=20 to be happy with their costly pile of bits. Will this situation have changed by the end of

RE: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-11 Thread Weger, B.M.M. de
Hi Victor, Bottom line, anyone fielding a SHA-2 cert today is not going to be happy with their costly pile of bits. Will this situation have changed by the end of 2010 (that's next year, by the way), when everybody who takes NIST seriously will have to switch to SHA-2? The first weakness

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-11 Thread Victor Duchovni
On Sat, Jan 10, 2009 at 11:32:44PM +0100, Weger, B.M.M. de wrote: Hi Victor, Bottom line, anyone fielding a SHA-2 cert today is not going to be happy with their costly pile of bits. Will this situation have changed by the end of 2010 (that's next year, by the way), when everybody who

Re: MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-10 Thread Victor Duchovni
On Thu, Jan 08, 2009 at 06:23:47PM -0600, Dustin D. Trammell wrote: Nearly everything I've seen regarding the proposed solutions to this attack have involved migration to SHA-1. SHA-1 is scheduled to be decertified by NIST in 2010, and NIST has already recommended[1] moving away from SHA-1