On Thursday,2009-08-27, at 19:14 , James A. Donald wrote:
Zooko Wilcox-O'Hearn wrote:
Right, and if we add algorithm agility then this attack is
possible even if both SHA-2 and SHA-3 are perfectly secure!
Consider this variation of the scenario: Alice generates a
filecap and gives it to Bo
Zooko Wilcox-O'Hearn wrote:
On Wednesday,2009-08-26, at 19:49 , Brian Warner wrote:
Attack B is where Alice uploads a file, Bob gets the filecap and
downloads it, Carol gets the same filecap and downloads it, and
Carol desires to see the same file that Bob saw. ... The attackers
(who may b
On Wednesday,2009-08-26, at 19:49 , Brian Warner wrote:
Attack B is where Alice uploads a file, Bob gets the filecap and
downloads it, Carol gets the same filecap and downloads it, and
Carol desires to see the same file that Bob saw. ... The attackers
(who may be Alice and/or other parties)
On Aug 26, 2009, at 1:39 PM, Zooko Wilcox-O'Hearn wrote:
...This at least suggests that the v1.7 readers need to check *all*
hashes that are offered and raise an alarm if some verify and others
don't. Is that good enough?
"Good enough" for what purpose?
By hypothesis, "SHA-3" is secure, so
> This at least suggests that the v1.7 readers need to check *all*
> hashes that are offered and raise an alarm if some verify and others
> don't. Is that good enough?
Isn't that what SSL/TLS does?
/r$
--
STSM, DataPower CTO
WebSphere Appliance Architect
http://www.ibm.com/software/in
Folks:
My brother Nathan Wilcox asked me in private mail about protocol
versioning issues. (He was inspired by this thread on
cryptography@metzdowd.com [1, 2, 3]). After rambling for a while
about my theories and experiences with such things, I remembered this
vexing "future-compatibili