-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philippe Vogel schrieb: | Malte Gell schrieb: | | | On Sunday 20 February 2005 11:37, Kai Schaetzl wrote: | |> | Polarizer wrote on Wed, 16 Feb 2005 13:31:49 +0100: |> |>> Broken | is broken |> |> It's not broken. | | | It IS broken, because the | effort of finding a collision now is | below the effort of using | brute force, 2^64 vs 2^80. The same | applies to a cipher, if the | effort to find a key is below brute | force it is broken, it's that | simple. How feasible a real world | attack is, is something | different, but for a cryptographer SHA-1 is | broken. | | Malte | | O.K. a 2^64 key ist more insecure than a 2^80 long key, but try to | break it. The next step is to find the collision. If you got any | mathematical knowledge or some courses in encryption you would know | that this is not that easy. The issue is a mathematical | instability in the sha1 logithm. Normally I use md5. | | SHA1 is normally used for fileintegrety (afaik with ssh), so may | mr. evil could hack a signed package and use this technique to | break the integrity of a signed file. | | O.K. this is security related, but it still takes a strong efford | to break keys. Next thing is sha1 is a hashing algorith and no | encryption algorithm. What does this mean? A calculation aof the | content of a file is made and gets extracted to a file with a | content of a bytes compareable to adding digits of a number. | | A second application of hashing is passwordencryption. You don't | get the password, if you hack a shadow-file, you get the hash-value | of a password. This is not the same than the password for itself. | | This doesn't mean you are not safe anymore. But it is not more that | hard to get the sha1-value (2^64 = 1'844'674'074'000'000'000). A | next comparison would be key-lenght vs. encryption algorith (e.g.: | twofish or blowfish is not that secure than md5). There you see | some algorithms are more fast or slower and the faster are more | insecure than the slower ones. | | I think mostly high secure applications should be concerned about | that. | | Reguards | | Philippe Oh and I forgot PGP works with SHA1 for mail signing ;) Maybe this is for your privaty purpose to solve this issue if you sign your mails for the guarantee the mail came from you :( I hope everybody gave his key a password [...] :-X Philippe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQhkGkkNg1DRVIGjBAQJ8WQb/aKVyd6pywhzeEP8mvP4SAbYJcQgPtIUq AEpyIJKV1jT4e6H8VuZcm/MwgVfjnlFdPbrnJevXdllSK1nscN2XCE4g8JSSPTVY qJuvpcoVJTZpa6k+3Nf+WTyfTeQSCc3tND4lVg55sKSqpkB0wYe/cSxQeNC2fWWB 7032IbsRV3ZZal1IQLzbcsDCRO/9/FR62Zgf3yvOLXBa3y3GZV41ZsR2STB+jkQQ bDTfDmfs4biifp75VcvF7jG+VXBeceO4ceLVnZ2VlLTFnNm81TrZ+1EPfhYKLAb1 L5zpJVxlj84= =fzTd -----END PGP SIGNATURE-----