[Moderator's note: I'm ending forwards/posts on this topic, unless
someone has something stunningly new to say. --Perry]
--- begin forwarded text
To: [EMAIL PROTECTED]
From: "Arnold G. Reinhold" <[EMAIL PROTECTED]>
Subject: Re: [Mac_crypto] Apple should use SHA! (or
On Mon, Apr 12, 2004 at 06:00:26PM -0700, Joseph Ashwood wrote:
> > From: Nicko van Someren <[EMAIL PROTECTED]>
> >
> > It's not clear to me that you need all this complexity. All you need
> > if to arrange that the attacker does not know exactly what will be
> > signed until it has been signed.
Sorry about being late to the party, I've been a bit busy lately.
> From: Nicko van Someren <[EMAIL PROTECTED]>
> Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to
> authenticate software releases
> To: [EMAIL PROTECTED]
> Sender: [EMAIL PROTECTED]
&g
--- begin forwarded text
From: Nicko van Someren <[EMAIL PROTECTED]>
Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to
authenticate software releases
To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
List-Id: Macintosh Cryptography
List-Post: &
> > But if you are given the choice between using MD5 and SHA1, I'd prefer
> > SHA1, but I wouldn't be concerned with someone using MD5 isntead of SHA1
> > for the time being. In other words, if I were to do a risk analysis, I
would
> > identify
> > the use of MD5 instead of SHA1 as one of the maj
R. A. Hettinga wrote:
> In practice you'll probably find something that you can alter in
>the last few hundred KB but still the raw processing cost will be a few
>orders of magnitude harder than a simple hash collision problem.
[etc.]
This disucssion suggests a simple countermeasure: put som
On 5 Apr 2004, at 23:43, Arnold G. Reinhold wrote:
Having a tail 2 MB or longer may make the processing time comparable
to finding an SHA1 collision, but it is still a 64-bit problem and
thus requires far less memory than finding an SHA1 collision.
Just because SHA-1 is O(2^80) and this problem
At 4:51 PM +0100 4/5/04, Nicko van Someren wrote:
...
While I agree that it is somewhat lax of Apple to be using MD5 for
checking its updates it's far from clear to me that an attack of the
sort described above would ever be practical. The problem is that
the while there are methods for finding
The attacks by Dobbertin on MD5 only allow to find collisions in the
compression function, not the whole MD5 hash.
But it is a sign that something might be fishy about MD5.
MD5 output is 128 bits. There are two types of collision finding
attacks that can be applied. In the first you are given
--- begin forwarded text
To: [EMAIL PROTECTED]
From: Vinnie Moscaritolo <[EMAIL PROTECTED]>
Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to
authenticate software releases
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
List-Id: Macintosh Cryptography
List-Post: &
--- begin forwarded text
From: Nicko van Someren <[EMAIL PROTECTED]>
Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to
authenticate software releases
To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
List-Id: Macintosh Cryptography
List-Post: &
Dobbertin's 1996 collision demonstration is another good reason not
to use md5, but is obviously hasn't gotten the open source community
or Apple to stop. Whether my attack will be any more successful in
effecting change remains to be seen. Publishing SHA1 hashes in
parallel with md5 seems lik
hi, mr. reinhold --
there's stronger reason than the ones you cite,
to distrust md5 as a message-digest. see these
old sci.crypt threads, and the google-search below,
for discussions of hans dobbertin's 1996 crack
of md5:
http://tinyurl.com/2ox7g
http://tinyurl.com/3x446
http://google.com/sear
13 matches
Mail list logo
