Should we settle on one SSL implementation?
Paul Wouters
paul at xelerance.com
Sat Oct 27 17:27:14 UTC 2007
On Sat, 27 Oct 2007, Oisin Feeley wrote:
> > Uh? I wasn't aware SHA1 has been broken (at least, not in
> > a practically exploitable way).
>
> It hasn't ... yet. But the US government is mandating that it not be
> used after 2010, so anyone wanting to be able to fulfill that needs to
> plan now how to make the transition:
>
> "March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
> SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
> applications using secure hash algorithms. Federal agencies should
> stop using SHA-1 for digital signatures, digital time stamping and
> other applications that require collision resistance as soon as
> practical, and must use the SHA-2 family of hash functions for these
> applications after 2010."
>
> http://csrc.nist.gov/groups/ST/hash/policy.html
Note that this applies to sha1 being used for hashes of filenames, X.509
attributes, etc. It does not apply to IPsec's use of md5/sha1, which does not
require collision resistance because of its use of HMAC.
The official IETF policy is "walk, not run, to a new secure hashing algorithm".
Also, it is believed that if SHA-1 is compromised, the attack would work
similarly to SHA-256 et al.
Paul
More information about the fedora-devel-list
mailing list