Re: SHA-1 rumors
Greg, > And the reason you haven't heard any progress from Dobbertin is because his > employers told him to either stop working on it, or stop talking about it, > depending which version of the story you've heard. Since he works for the > German NSA-equivalent, I guess he would take this seriously. Hans Dobbertin stopped working for NoSuchAgency quite a while ago so he might be able to tell us a few more details: http://www.ruhr-uni-bochum.de/itsc/personen/dobbertin.html Cheers, Stefan. --- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail [EMAIL PROTECTED], http://www.secorvo.de --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: SHA-1 rumors
No, it was on the compression function, but not in any sense "reduced". But you had to start with particular values of the chaining variables, and in practice no-one knows how to do that, so MD5 (as a whole) isn't broken by this, at least until tomorrow evening. The rumour here is that MD5, HAVAL, and RIPE-MD are all goners. We know SHA-0 is toast too. There might also be results against SHA-1. Hash functions are hard. What I've heard (also at CRYPTO right now like Greg) is that the four Chinese researchers (Wang, Fang, Lai, Yu) have found collisions in MD4, MD5, HAVAL, and RIPEMD. They state that SHA-0 collisions can be found as well. However, the collision they list for MD5 doesn't produce work because the Chinese translation of [MOV] had an error which caused an endianness problem. So they have a collision for a PARTICULAR IV. One of the four researchers is back in China, so they are on the phone trying to fix the problem for the announcment tomorrow evening. However, they have announced nothing regarding SHA-1 or any of the larger-output SHA versions like SHA-256, etc. We haven't seen their methods yet, but one has to believe that their methods are fairly general given the range of hash functions they've attacked. This would SEEM to put the SHA family into jeopardy as well, but we should know more tomorrow evening. John Black [MOV] Menezes, van Oorschot, Vanstone; Handbook of Applied Cryptography, CRC Press. _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: SHA-1 rumors
Eric Rescorla wrote: P.S. AFAIK, although Dobbertin was able to find preimages for reduced MD4, there still isn't a complete break in MD4. Correct? Dobbertin published a complete break of MD4 (namely, a breaking algorithm and some collisions found with it) in the Journal of Cryptology. Mads - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: SHA-1 rumors
At 15:50 2004-08-16 -0400, Matt Curtin wrote: Eric Rescorla <[EMAIL PROTECTED]> writes: > P.S. AFAIK, although Dobbertin was able to find preimages for > reduced MD4, there still isn't a complete break in MD4. Correct? Dobbertin's work on was reduced MD5. I haven't heard anything about progress on that front for several years. No, it was on the compression function, but not in any sense "reduced". But you had to start with particular values of the chaining variables, and in practice no-one knows how to do that, so MD5 (as a whole) isn't broken by this, at least until tomorrow evening. The rumour here is that MD5, HAVAL, and RIPE-MD are all goners. We know SHA-0 is toast too. There might also be results against SHA-1. Hash functions are hard. And the reason you haven't heard any progress from Dobbertin is because his employers told him to either stop working on it, or stop talking about it, depending which version of the story you've heard. Since he works for the German NSA-equivalent, I guess he would take this seriously. Greg. Greg RoseINTERNET: [EMAIL PROTECTED] Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199 Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/ Gladesville NSW 2111/232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: SHA-1 rumors
Eric Rescorla <[EMAIL PROTECTED]> writes: > P.S. AFAIK, although Dobbertin was able to find preimages for > reduced MD4, there still isn't a complete break in MD4. Correct? Dobbertin's work on was reduced MD5. I haven't heard anything about progress on that front for several years. http://citeseer.ist.psu.edu/243938.html MD4 was reported broken a year or two earlier. -- Matt Curtin, CISSP, IAM, INTP. Keywords: Lisp, Unix, Internet, INFOSEC. Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/ Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
SHA-1 rumors
Ed Felten's blog is carrying the rumor that a break in SHA-1 is going to be announced soon: http://www.freedom-to-tinker.com/archives/000661.html I've also done some off-the-cuff analysis of how bad this would be in practice, which you can find here: http://www.rtfm.com/movabletype/archives/2004_08.html#001051 The key question is whether it's just collisions, which would be embarassing, but which don't affect most applications, or whether there is forward progress in finding preimages. Anyone know anything about this rumor? -Ekr P.S. AFAIK, although Dobbertin was able to find preimages for reduced MD4, there still isn't a complete break in MD4. Correct? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]