[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Should we settle on one SSL implementation?



On Sat, 27 Oct 2007, Oisin Feeley wrote:

> > Uh?  I wasn't aware SHA1 has been broken (at least, not in
> > a practically exploitable way).
>
> It hasn't ... yet.  But the US government is mandating that it not be
> used after 2010, so anyone wanting to be able to fulfill that needs to
> plan now how to make the transition:
>
> "March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
> SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
> applications using secure hash algorithms. Federal agencies should
> stop using SHA-1 for digital signatures, digital time stamping and
> other applications that require collision resistance as soon as
> practical, and must use the SHA-2 family of hash functions for these
> applications after 2010."
>
> http://csrc.nist.gov/groups/ST/hash/policy.html

Note that this applies to sha1 being used for hashes of filenames, X.509
attributes, etc. It does not apply to IPsec's use of md5/sha1, which does not
require collision resistance because of its use of HMAC.

The official IETF policy is "walk, not run, to a new secure hashing algorithm".
Also, it is believed that if SHA-1 is compromised, the attack would work
similarly to SHA-256 et al.

Paul


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]